chore(deps): update step-security/harden-runner digest to 3d32f8d #541
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Terraform | |
on: [push] | |
jobs: | |
# -- TESTS ------------------------------------------------------------------ | |
tests: | |
name: Tests | |
runs-on: ubuntu-latest | |
env: | |
TF_VAR_tenancy_ocid: ${{secrets.OCI_TENANCY_OCID}} | |
TF_VAR_compartment_ocid: ${{secrets.OCI_COMPARTMENT_OCID}} | |
TF_VAR_user_ocid: ${{secrets.OCI_USER_OCID}} | |
TF_VAR_fingerprint: ${{secrets.OCI_FINGERPRINT}} | |
TF_VAR_private_key: ${{secrets.OCI_PRIVATE_KEY}} | |
TF_VAR_region: ${{secrets.OCI_REGION}} | |
TF_VAR_cf_account_id: ${{secrets.CLOUDFLARE_ACCOUNT_ID}} | |
CLOUDFLARE_API_TOKEN: ${{secrets.CLOUDFLARE_API_TOKEN}} | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@3d32f8d8b29ef98868a6dc8d0cea43bfbca531f5 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
checkpoint-api.hashicorp.com:443 | |
registry.terraform.io:443 | |
github.com:443 | |
iaas.uk-london-1.oraclecloud.com:443 | |
identity.uk-london-1.oci.oraclecloud.com:443 | |
objects.githubusercontent.com:443 | |
releases.hashicorp.com:443 | |
api.cloudflare.com:443 | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 | |
- name: Terraform Format | |
id: fmt | |
run: terraform fmt -check | |
working-directory: ./terraform | |
continue-on-error: true | |
- name: Terraform Init | |
id: init | |
working-directory: ./terraform | |
run: terraform init -upgrade | |
- name: Terraform Plan | |
id: plan | |
working-directory: ./terraform | |
run: terraform plan | |
# -- SAST SCAN -------------------------------------------------------------- | |
code-security: | |
name: Code Security | |
runs-on: ubuntu-latest | |
needs: tests | |
# Skip any PR created by dependabot to avoid permission issues | |
if: (github.actor != 'dependabot[bot]') | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@3d32f8d8b29ef98868a6dc8d0cea43bfbca531f5 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
api.github.com:443 | |
pipelines.actions.githubusercontent.com:443 | |
pypi.org:443 | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Perform Scan | |
uses: ShiftLeftSecurity/scan-action@master | |
env: | |
WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SCAN_ANNOTATE_PR: true | |
- uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: reports | |
path: reports | |
# -- DOCUMENTATION ---------------------------------------------------------- | |
documentation: | |
name: Documentation | |
runs-on: ubuntu-latest | |
needs: tests | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@3d32f8d8b29ef98868a6dc8d0cea43bfbca531f5 | |
with: | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
with: | |
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs | |
- name: Terraform Docs | |
uses: terraform-docs/gh-actions@e47bfa196e79fa50987ef391be236d9d97b0c786 # v1.2.0 | |
with: | |
working-dir: ./terraform | |
output-file: USAGE.md | |
output-method: inject | |
git-push: "true" | |
git-commit-message: "chore(docs): update Terraform docs" | |
# -- RELEASE ---------------------------------------------------------------- | |
release: | |
name: Release | |
runs-on: ubuntu-latest | |
needs: | |
- tests | |
- code-security | |
- documentation | |
if: github.ref == 'refs/heads/main' | |
steps: | |
- name: Harden GitHub Actions Runner | |
uses: step-security/harden-runner@3d32f8d8b29ef98868a6dc8d0cea43bfbca531f5 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
with: | |
ref: 'main' # Force checkout of main branch to avoid caching from previous jobs | |
persist-credentials: false | |
- name: Semantic Release | |
uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |