Skip to content

security: a more comprehensive env.denylist #7942

security: a more comprehensive env.denylist

security: a more comprehensive env.denylist #7942

Workflow file for this run

name: test-e2e
on:
pull_request:
paths-ignore:
- 'README.md'
- 'CHANGELOG.md'
- '.changelog/**'
- '.tours/**'
- 'contributing/**'
- 'demo/**'
- 'dev/**'
- 'integrations/**'
- 'pkg/**'
- 'scripts/**'
- 'terraform/**'
- 'ui/**'
- 'website/**'
push:
branches:
- main
- release/**
paths-ignore:
- 'README.md'
- 'CHANGELOG.md'
- '.changelog/**'
- '.tours/**'
- 'contributing/**'
- 'demo/**'
- 'dev/**'
- 'integrations/**'
- 'pkg/**'
- 'scripts/**'
- 'terraform/**'
- 'ui/**'
- 'website/**'
jobs:
test-e2e-vault:
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux"]') || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Retrieve Vault-hosted Secrets
if: endsWith(github.repository, '-enterprise')
id: vault
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: ${{ vars.CI_VAULT_URL }}
method: ${{ vars.CI_VAULT_METHOD }}
path: ${{ vars.CI_VAULT_PATH }}
jwtGithubAudience: ${{ vars.CI_VAULT_AUD }}
secrets: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
cache: ${{ contains(runner.name, 'Github Actions') }}
go-version-file: .go-version
cache-dependency-path: '**/go.sum'
- run: make deps
- name: Vault Compatability
run: make integration-test
- run: make e2e-test
test-e2e-consul:
runs-on: 'ubuntu-22.04' # this job requires sudo, so not currently suitable for self-hosted runners
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ secrets.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
cache: ${{ contains(runner.name, 'Github Actions') }}
go-version-file: .go-version
cache-dependency-path: '**/go.sum'
- name: Consul Compatability
run: |
make deps
sudo make cni
sudo sed -i 's!Defaults!#Defaults!g' /etc/sudoers
sudo -E env "PATH=$PATH" make integration-test-consul
permissions:
contents: read
id-token: write