Skip to content

Commit

Permalink
Improve CI security.
Browse files Browse the repository at this point in the history
  • Loading branch information
@RomainMou
RomainMou committed Feb 5, 2025
1 parent 51daa14 commit 30fe488
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 3 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/dev_closed.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ concurrency:
env:
app: platform

permissions: {}

jobs:
remove_app_and_deploy:
runs-on: [self-hosted, common]
Expand Down
12 changes: 12 additions & 0 deletions .github/workflows/dev_opened_or_updated.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,18 @@ concurrency:
env:
app: platform

permissions: {}

jobs:
build-and-push:
permissions:
contents: read
runs-on: [self-hosted, common]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
persist-credentials: false
- name: Login to BIMData Docker Registry
uses: docker/login-action@v3
with:
Expand All @@ -40,6 +45,8 @@ jobs:
docker-registry.bimdata.io/bimdata/${{ env.app }}:${{ steps.branch.outputs.name }}
e2e-tests:
permissions:
contents: read
runs-on: [self-hosted, testendtoend]
if: ${{ !contains(github.event.pull_request.body , '[ ] I want to run the tests for the commits of this PR') }}
needs: build-and-push
Expand All @@ -49,6 +56,7 @@ jobs:
repository: bimdata/bimdata-test
ref: master
token: ${{ secrets.REPOS_TOKEN }}
persist-credentials: false
- name: Define branch_name var
id: branch
run: |
Expand All @@ -64,12 +72,16 @@ jobs:
cypress_version: 13.1.0

deploy:
permissions:
contents: read
pull-requests: write # Needed for PR title updates
runs-on: [self-hosted, common]
needs: build-and-push
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
persist-credentials: false
- name: Login to BIMData Docker Registry
uses: docker/login-action@v3
with:
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,18 @@ env:
app: platform
GITHUB_TOKEN: ${{ secrets.REPOS_TOKEN }}

permissions: {}

jobs:
build-and-push:
permissions:
contents: read
runs-on: [self-hosted, common]
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
persist-credentials: false
- name: Login to BIMData Docker Registry
uses: docker/login-action@v3
with:
Expand All @@ -44,13 +49,16 @@ jobs:
docker-registry.bimdata.io/bimdata/${{ env.app }}:${{ env.tag }}
unit-tests:
permissions:
contents: read
runs-on: [self-hosted, common]
needs: build-and-push
if: ${{ !contains(github.event.head_commit.message, '[skip unit]') }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version: "20"
Expand All @@ -70,6 +78,7 @@ jobs:
repository: bimdata/bimdata-test
ref: master
token: ${{ secrets.REPOS_TOKEN }}
persist-credentials: false
- id: tag
name: Get docker tag
uses: bimdata/actions/get-docker-tag@v2
Expand Down Expand Up @@ -107,11 +116,17 @@ jobs:
vault-pass: ${{ secrets.ANSIBLE_VAULT_PASSWD }}

release:
permissions:
contents: write # Required for creating tag / release
pull-requests: write # Required to add the comment on the PR to tell it's in the releases
issues: write # Required to add a comment to an issue fixed in a release
runs-on: [self-hosted, common]
needs: build-and-push
if: ${{ github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version: "20"
Expand Down
18 changes: 15 additions & 3 deletions .github/workflows/viewer-update.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,33 +7,43 @@ on:
env:
app: platform

permissions: {}

jobs:
viewer-update:
permissions:
contents: write # Required for committing changes
runs-on: [self-hosted, common]
if: contains('refs/heads/develop', github.event.client_payload.ref)
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.REPOS_TOKEN }}
# Needed for EndBug/add-and-commit
persist-credentials: true
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Wait for npm package
id: viewer-install
timeout-minutes: 2
run: |
while ! npm install @bimdata/viewer@${{ github.event.client_payload.viewer-version }} --save-exact; do
while ! npm install @bimdata/viewer@${VIEWER_VERSION} --save-exact; do
sleep 5
done
GITDIFF=$(git diff -- package-lock.json | tr '\n' ' ')
echo "gitdiff=$GITDIFF" >> $GITHUB_OUTPUT
env:
VIEWER_VERSION: ${{ github.event.client_payload.viewer-version }}
- name: Commit diff
if: steps.viewer-install.outputs.gitdiff
uses: EndBug/add-and-commit@v9
with:
add: "package-lock.json package.json"
message: "chore: bump @bimdata/viewer@${{ github.event.client_payload.viewer-version }} from Github Actions [skip e2e]"
viewer-stable-update:
permissions:
contents: write # Required for committing changes
runs-on: [self-hosted, common]
if: contains('
refs/heads/master
Expand All @@ -43,19 +53,21 @@ jobs:
- uses: actions/checkout@v4
with:
ref: release
token: ${{ secrets.REPOS_TOKEN }}
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Wait for npm package
id: viewer-install
timeout-minutes: 2
run: |
while ! npm install @bimdata/viewer@${{ github.event.client_payload.viewer-version }} --save-exact; do
while ! npm install @bimdata/viewer@${VIEWER_VERSION} --save-exact; do
sleep 5
done
GITDIFF=$(git diff -- package-lock.json | tr '\n' ' ')
echo "gitdiff=$GITDIFF" >> $GITHUB_OUTPUT
env:
VIEWER_VERSION: ${{ github.event.client_payload.viewer-version }}
- name: Commit diff
if: steps.viewer-install.outputs.gitdiff
uses: EndBug/add-and-commit@v9
Expand Down

0 comments on commit 30fe488

Please sign in to comment.