Skip to content

Add write-all permissions to Build tests job #42

Add write-all permissions to Build tests job

Add write-all permissions to Build tests job #42

Workflow file for this run

name: build
on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
AGW_ARTIFACT_NAME: agw-pep-custom-names-tf-modules
jobs:
tfsec:
name: Run TFsec
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Terraform security scan
uses: triat/terraform-security-scan@v3.1.0
with:
tfsec_exclude: azure-keyvault-no-purge,azure-storage-queue-services-logging-enabled,azure-storage-allow-microsoft-service-bypass,azure-network-no-public-egress,azure-network-no-public-ingress,azure-network-disable-rdp-from-internet,azure-network-ssh-blocked-from-internet,azure-database-postgres-configuration-log-connections,azure-database-postgres-configuration-connection-throttling,azure-database-no-public-access,azure-database-postgres-configuration-log-checkpoints,azure-database-secure-tls-policy,azure-database-enable-audit
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
docs:
name: Run Terraform-docs
runs-on: ubuntu-latest
needs: tfsec
permissions: write-all
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
- name: Render terraform docs inside the TERRAFORM.md
uses: terraform-docs/gh-actions@v1.0.0
with:
working-dir: .
output-file: TERRAFORM.md
output-method: inject
recursive: "true"
recursive-path: "modules"
git-push: "true"
build-tests:
name: Build tests
runs-on: ubuntu-latest
needs: tfsec
permissions: write-all
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup .NET Core
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Setup MinVer
run: |
dotnet tool install --global minver-cli --version 4.2.0
- name: Calculate Version
run: |
echo "MINVERVERSIONOVERRIDE=$($HOME/.dotnet/tools/minver -t v. -m 1.0 -d preview)" >> $GITHUB_ENV
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v3
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Lower case REPO
run: |
echo "GITHUB_REPOSITORY_LOWER_CASE=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
- name: Build and push Docker image
uses: docker/build-push-action@v3
with:
context: .
file: ./tests/Dockerfile
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ env.REGISTRY }}/${{ env.GITHUB_REPOSITORY_LOWER_CASE }}/agw-pep-custom-names:${{ env.MINVERVERSIONOVERRIDE }}
labels: ${{ steps.meta.outputs.labels }}
artifacts:
name: Create artifacts
runs-on: ubuntu-latest
needs: docs
permissions: write-all
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup .NET Core
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Setup MinVer
run: |
dotnet tool install --global minver-cli --version 4.2.0
- name: Calculate Version
run: |
echo "MINVERVERSIONOVERRIDE=$($HOME/.dotnet/tools/minver -t v. -m 1.0 -d preview)" >> $GITHUB_ENV
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ env.AGW_ARTIFACT_NAME }}
path: |
./modules/
./*.tf
./*.md
release:
name: Create Release
needs: artifacts
if: github.event_name != 'pull_request' && startswith(github.ref, 'refs/tags/v')
runs-on: ubuntu-latest
permissions: write-all
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: release
uses: actions/create-release@v1
id: create_release
with:
tag_name: ${{ github.ref }}
release_name: ${{ env.MINVERVERSIONOVERRIDE }}
body: ${{ steps.changelog.outputs.clean_changelog }}
draft: false
prerelease: false
env:
GITHUB_TOKEN: ${{ github.token }}
publish:
name: Publish binaries
needs: release
permissions: write-all
if: github.event_name != 'pull_request' && startswith(github.ref, 'refs/tags/v')
env:
ARTIFACT_DIR: ${{ github.workspace }}/release
PROJECT_NAME: agw-pep-custom-names
runs-on: ubuntu-latest
steps:
- name: download artifacts - ${{ env.AGW_ARTIFACT_NAME }}
uses: actions/download-artifact@v3
with:
name: ${{ env.AGW_ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_DIR }}/${{ env.AGW_ARTIFACT_NAME }}
- name: Creating Zip
run: zip -r ${{ env.AGW_ARTIFACT_NAME }}.zip ${{ env.ARTIFACT_DIR }}/${{ env.AGW_ARTIFACT_NAME }}/*
- name: upload artifacts
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ needs.release.outputs.upload_url }}
asset_path: ${{ env.AGW_ARTIFACT_NAME }}.zip
asset_name: ${{ env.AGW_ARTIFACT_NAME }}.zip
asset_content_type: application/octet-stream