[CI] Adjust Harden Runner step in CI workflow #1729
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| workflow_dispatch: null | |
| push: | |
| branches: | |
| - main | |
| pull_request_target: null | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| actions: read | |
| concurrency: | |
| group: ci-${{ github.event.pull_request.number || github.ref_name }} | |
| cancel-in-progress: true | |
| jobs: | |
| changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| paths: ${{ steps.filter.outputs.changes }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| *.microsoft.com:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | |
| id: filter | |
| with: | |
| base: ${{ github.ref }} | |
| filters: .github/filters.yml | |
| codecov: | |
| runs-on: ubuntu-latest | |
| environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'prod-external' || 'prod' }} | |
| needs: changes | |
| if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| golang.org:443 | |
| proxy.golang.org:443 | |
| sum.golang.org:443 | |
| *.githubusercontent.com:443 | |
| storage.googleapis.com:443 | |
| cli.codecov.io:443 | |
| api.codecov.io:443 | |
| ingest.codecov.io:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| - name: Test | |
| run: make test | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| with: | |
| files: ./coverage.out | |
| verbose: true | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| slug: linode/linode-cloud-controller-manager | |
| e2e-tests: | |
| runs-on: ubuntu-latest | |
| environment: ${{ (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) && 'prod-external' || 'prod' }} | |
| needs: changes | |
| if: ${{ contains(fromJSON(needs.changes.outputs.paths), 'src') }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.github_token }} | |
| LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }} | |
| IMG: linode/linode-cloud-controller-manager:${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && 'latest' || format('pr-{0}', github.event.pull_request.number) || github.ref_name }} | |
| LINODE_REGION: us-lax | |
| LINODE_CONTROL_PLANE_MACHINE_TYPE: g6-standard-2 | |
| LINODE_MACHINE_TYPE: g6-standard-2 | |
| WORKER_NODES: '2' | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| check-latest: true | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Install devbox | |
| uses: jetify-com/devbox-install-action@8c6a66ed6273138b1915457069de78cb52fe3bd7 # v0.15.0 | |
| - name: Setup CAPL Management Kind Cluster and CAPL Child Cluster For Testing | |
| run: devbox run mgmt-and-capl-cluster | |
| - name: Run E2E Tests | |
| run: devbox run e2e-test | |
| - name: Run Cilium BGP e2e test | |
| run: devbox run e2e-test-bgp | |
| - name: Run subnet filtering test | |
| run: devbox run e2e-test-subnet | |
| - name: Cleanup Resources | |
| if: always() | |
| run: devbox run cleanup-cluster |