security: a more comprehensive env.denylist #7942
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test-e2e | |
on: | |
pull_request: | |
paths-ignore: | |
- 'README.md' | |
- 'CHANGELOG.md' | |
- '.changelog/**' | |
- '.tours/**' | |
- 'contributing/**' | |
- 'demo/**' | |
- 'dev/**' | |
- 'integrations/**' | |
- 'pkg/**' | |
- 'scripts/**' | |
- 'terraform/**' | |
- 'ui/**' | |
- 'website/**' | |
push: | |
branches: | |
- main | |
- release/** | |
paths-ignore: | |
- 'README.md' | |
- 'CHANGELOG.md' | |
- '.changelog/**' | |
- '.tours/**' | |
- 'contributing/**' | |
- 'demo/**' | |
- 'dev/**' | |
- 'integrations/**' | |
- 'pkg/**' | |
- 'scripts/**' | |
- 'terraform/**' | |
- 'ui/**' | |
- 'website/**' | |
jobs: | |
test-e2e-vault: | |
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Retrieve Vault-hosted Secrets | |
if: endsWith(github.repository, '-enterprise') | |
id: vault | |
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 | |
with: | |
url: ${{ vars.CI_VAULT_URL }} | |
method: ${{ vars.CI_VAULT_METHOD }} | |
path: ${{ vars.CI_VAULT_PATH }} | |
jwtGithubAudience: ${{ vars.CI_VAULT_AUD }} | |
secrets: |- | |
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ; | |
- name: Git config token | |
if: endsWith(github.repository, '-enterprise') | |
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
cache: ${{ contains(runner.name, 'Github Actions') }} | |
go-version-file: .go-version | |
cache-dependency-path: '**/go.sum' | |
- run: make deps | |
- name: Vault Compatability | |
run: make integration-test | |
- run: make e2e-test | |
test-e2e-consul: | |
runs-on: 'ubuntu-22.04' # this job requires sudo, so not currently suitable for self-hosted runners | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Git config token | |
if: endsWith(github.repository, '-enterprise') | |
run: git config --global url.'https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com' | |
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
cache: ${{ contains(runner.name, 'Github Actions') }} | |
go-version-file: .go-version | |
cache-dependency-path: '**/go.sum' | |
- name: Consul Compatability | |
run: | | |
make deps | |
sudo make cni | |
sudo sed -i 's!Defaults!#Defaults!g' /etc/sudoers | |
sudo -E env "PATH=$PATH" make integration-test-consul | |
permissions: | |
contents: read | |
id-token: write |