security: add escape to arbitrary file access #15742
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Core CI Tests | |
on: | |
pull_request: | |
paths-ignore: | |
- 'README.md' | |
- 'CHANGELOG.md' | |
- '.changelog/**' | |
- '.tours/**' | |
- 'contributing/**' | |
- 'demo/**' | |
- 'dev/**' | |
- 'e2e/terraform/**' | |
- 'e2e/ui/**' | |
- 'integrations/**' | |
- 'pkg/**' | |
- 'scripts/**' | |
- 'terraform/**' | |
- 'ui/**' | |
- 'website/**' | |
push: | |
branches: | |
- main | |
- release/** | |
paths-ignore: | |
- 'README.md' | |
- 'CHANGELOG.md' | |
- '.changelog/**' | |
- '.tours/**' | |
- 'contributing/**' | |
- 'demo/**' | |
- 'dev/**' | |
- 'e2e/terraform/**' | |
- 'e2e/ui/**' | |
- 'integrations/**' | |
- 'pkg/**' | |
- 'scripts/**' | |
- 'terraform/**' | |
- 'ui/**' | |
- 'website/**' | |
env: | |
VERBOSE: 1 | |
GOTESTARCH: amd64 | |
CONSUL_VERSION: 1.14.4 | |
VAULT_VERSION: 1.12.2 | |
NOMAD_SLOW_TEST: 0 | |
NOMAD_TEST_LOG_LEVEL: OFF | |
jobs: | |
# this caches dependencies for subsequent jobs, including private deps in enterprise | |
mods: | |
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-22.04' }} | |
timeout-minutes: 10 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: ./.github/actions/vault-secrets | |
with: | |
paths: |- | |
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; | |
- name: Git config token | |
if: endsWith(github.repository, '-enterprise') | |
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' | |
- uses: hashicorp/setup-golang@v3 | |
- name: Get Go modules | |
run: | | |
make bootstrap | |
make tidy | |
checks: | |
uses: ./.github/workflows/checks.yaml | |
needs: [mods] | |
compile: | |
needs: [mods, checks] | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-22.04, macos-14, windows-2019] | |
runs-on: ${{matrix.os}} | |
timeout-minutes: 20 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: hashicorp/setup-golang@v3 | |
- name: Run make dev | |
run: | | |
make bootstrap | |
make dev | |
tests-api: | |
needs: [mods] | |
runs-on: custom-linux-xl-nomad-22.04 | |
timeout-minutes: 8 | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: hashicorp/setup-golang@v3 | |
- name: Run API tests | |
env: | |
GOTEST_MOD: api | |
run: | | |
make bootstrap | |
make generate-all | |
sudo sed -i 's!Defaults!#Defaults!g' /etc/sudoers | |
sudo -E env "PATH=$PATH" make test-nomad-module | |
tests-groups: | |
needs: [mods] | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 30 | |
strategy: | |
fail-fast: false | |
matrix: | |
groups: | |
- nomad | |
- client | |
- command | |
- drivers | |
- quick | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: hashicorp/setup-golang@v3 | |
- name: Run Matrix Tests | |
env: | |
GOTEST_GROUP: ${{matrix.groups}} | |
run: | | |
make bootstrap | |
make generate-all | |
make dev | |
hc-install install -version ${{env.VAULT_VERSION}} -path ${{env.GOBIN}} vault | |
hc-install install -version ${{env.CONSUL_VERSION}} -path ${{env.GOBIN}} consul | |
sudo sed -i 's!Defaults!#Defaults!g' /etc/sudoers | |
sudo -E env "PATH=$PATH" make test-nomad | |
permissions: | |
contents: read | |
id-token: write |