autobump-security-config #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: autobump-security-config | |
on: | |
schedule: | |
- cron: 0 8 * * * | |
push: | |
branches: | |
- main | |
paths: | |
- '**/*.md' | |
- '**/*.yml' | |
- '**/*.yaml' | |
- '**/*.tf' | |
- '**/*.tfvars' | |
env: | |
AUTOBUMP_CONFIG_PATH: configs/autobump-config/test-infra-sec-config-autobump-config.yaml | |
SEC_SCANNERS_CONFIG_PATH: sec-scanners-config.yaml | |
TERRAFORM_CONFIGS_DIR: configs/terraform | |
jobs: | |
autobump: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write # This is required for requesting the JWT token | |
contents: read # This is required for actions/checkout | |
concurrency: | |
# Prevent merge conflicts on pushing to fork repo between different runs. | |
# Image detector will update already existing PR with new changes, to keep clean history it's preferd to do it one by one. | |
group: post-test-infra-image-detector-autobump | |
cancel-in-progress: false | |
steps: | |
- uses: actions/checkout@v4 | |
# Setup git config with commiter data from config | |
# Prevent silent passing github token | |
# see https://stackoverflow.com/a/69979203/23148781 | |
- name: Setup git config | |
run: | | |
GIT_USERNAME=$(grep "gitName" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2) | |
GIT_EMAIL=$(grep "gitEmail" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2) | |
git config user.name $GIT_USERNAME | |
git config user.email $GIT_EMAIL | |
git config --unset-all http.https://github.com/.extraheader | |
- name: Authenticate in GCP | |
id: 'auth' | |
uses: 'google-github-actions/auth@v2' | |
with: | |
project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }} | |
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }} | |
- name: Get kyma bot token from Secret Manager | |
id: 'secrets' | |
uses: 'google-github-actions/get-secretmanager-secrets@v2' | |
with: | |
secrets: |- | |
kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }} | |
- name: Store Github Token for autobumper | |
run: | | |
echo ${{ steps.secrets.outputs.kyma-autobump-token }} > ~/token | |
- name: Find images to scan | |
run: | | |
docker run \ | |
-v ~/token:/etc/github/token:ro \ | |
-v ${{ github.workspace }}:/github/workspace \ | |
--workdir /github/workspace \ | |
--rm \ | |
--privileged \ | |
--cap-drop ALL \ | |
europe-docker.pkg.dev/kyma-project/prod/image-detector:v20241025-cea435c9 \ | |
--terraform-dir=${{ env.TERRAFORM_CONFIGS_DIR }} \ | |
--sec-scanner-config=${{ env.SEC_SCANNERS_CONFIG_PATH }} \ | |
--autobump-config=${{ env.AUTOBUMP_CONFIG_PATH }} |