Skip to content

chore(deps): update step-security/harden-runner digest to 9ff9d14 #529

chore(deps): update step-security/harden-runner digest to 9ff9d14

chore(deps): update step-security/harden-runner digest to 9ff9d14 #529

Workflow file for this run

name: Terraform
on: [push]
jobs:
# -- TESTS ------------------------------------------------------------------
tests:
name: Tests
runs-on: ubuntu-latest
env:
TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}}
TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}}
TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}}
TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}}
TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}}
TF_VAR_region: ${{secrets.OCI_REGION}}
TF_VAR_cf_account_id: ${{secrets.CLOUDFLARE_ACCOUNT_ID}}
CLOUDFLARE_API_TOKEN: ${{secrets.CLOUDFLARE_API_TOKEN}}
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@9ff9d14760a73102d9fa2f47131624137f50ead8
with:
egress-policy: block
allowed-endpoints: >
checkpoint-api.hashicorp.com:443
registry.terraform.io:443
github.com:443
iaas.uk-london-1.oraclecloud.com:443
identity.uk-london-1.oci.oraclecloud.com:443
objects.githubusercontent.com:443
releases.hashicorp.com:443
api.cloudflare.com:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
- name: Terraform Format
id: fmt
run: terraform fmt -check
working-directory: ./terraform
continue-on-error: true
- name: Terraform Init
id: init
working-directory: ./terraform
run: terraform init -upgrade
- name: Terraform Plan
id: plan
working-directory: ./terraform
run: terraform plan
# -- SAST SCAN --------------------------------------------------------------
code-security:
name: Code Security
runs-on: ubuntu-latest
needs: tests
# Skip any PR created by dependabot to avoid permission issues
if: (github.actor != 'dependabot[bot]')
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@9ff9d14760a73102d9fa2f47131624137f50ead8
with:
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
pipelines.actions.githubusercontent.com:443
pypi.org:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Perform Scan
uses: ShiftLeftSecurity/scan-action@master
env:
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCAN_ANNOTATE_PR: true
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: reports
path: reports
# -- DOCUMENTATION ----------------------------------------------------------
documentation:
name: Documentation
runs-on: ubuntu-latest
needs: tests
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@9ff9d14760a73102d9fa2f47131624137f50ead8
with:
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
- name: Terraform Docs
uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0
with:
working-dir: ./terraform
output-file: USAGE.md
output-method: inject
git-push: "true"
git-commit-message: "chore(docs): update Terraform docs"
# -- RELEASE ----------------------------------------------------------------
release:
name: Release
runs-on: ubuntu-latest
needs:
- tests
- code-security
- documentation
if: github.ref == 'refs/heads/main'
steps:
- name: Harden GitHub Actions Runner
uses: step-security/harden-runner@9ff9d14760a73102d9fa2f47131624137f50ead8
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs
persist-credentials: false
- name: Semantic Release
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}