-
Notifications
You must be signed in to change notification settings - Fork 179
77 lines (68 loc) · 2.75 KB
/
autobump-security-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: autobump-security-config
on:
schedule:
- cron: 0 8 * * *
push:
branches:
- main
paths:
- '**/*.md'
- '**/*.yml'
- '**/*.yaml'
- '**/*.tf'
- '**/*.tfvars'
env:
AUTOBUMP_CONFIG_PATH: configs/autobump-config/test-infra-sec-config-autobump-config.yaml
SEC_SCANNERS_CONFIG_PATH: sec-scanners-config.yaml
TERRAFORM_CONFIGS_DIR: configs/terraform
jobs:
autobump:
runs-on: ubuntu-latest
permissions:
id-token: write # This is required for requesting the JWT token
contents: read # This is required for actions/checkout
concurrency:
# Prevent merge conflicts on pushing to fork repo between different runs.
# Image detector will update already existing PR with new changes, to keep clean history it's preferd to do it one by one.
group: post-test-infra-image-detector-autobump
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
# Setup git config with commiter data from config
# Prevent silent passing github token
# see https://stackoverflow.com/a/69979203/23148781
- name: Setup git config
run: |
GIT_USERNAME=$(grep "gitName" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2)
GIT_EMAIL=$(grep "gitEmail" ${{ env.AUTOBUMP_CONFIG_PATH }} | cut -d '"' -f 2)
git config user.name $GIT_USERNAME
git config user.email $GIT_EMAIL
git config --unset-all http.https://github.com/.extraheader
- name: Authenticate in GCP
id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
project_id: ${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}
workload_identity_provider: ${{ vars.GH_COM_KYMA_PROJECT_GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER }}
- name: Get kyma bot token from Secret Manager
id: 'secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v2'
with:
secrets: |-
kyma-autobump-token:${{ vars.GCP_KYMA_PROJECT_PROJECT_ID }}/${{ vars.KYMA_AUTOBUMP_BOT_GITHUB_SECRET_NAME }}
- name: Store Github Token for autobumper
run: |
echo ${{ steps.secrets.outputs.kyma-autobump-token }} > ~/token
- name: Find images to scan
run: |
docker run \
-v ~/token:/etc/github/token:ro \
-v ${{ github.workspace }}:/github/workspace \
--workdir /github/workspace \
--rm \
--privileged \
--cap-drop ALL \
europe-docker.pkg.dev/kyma-project/prod/image-detector:v20250120-7cbeb783 \
--terraform-dir=${{ env.TERRAFORM_CONFIGS_DIR }} \
--sec-scanner-config=${{ env.SEC_SCANNERS_CONFIG_PATH }} \
--autobump-config=${{ env.AUTOBUMP_CONFIG_PATH }}