diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2d183db..7b765b6 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,6 +4,8 @@ on: tags: - 'v*' +permissions: read-all + env: NULLSTONE_ORG: nullstone NULLSTONE_API_KEY: ${{ secrets.NULLSTONE_API_KEY }} diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index c32141b..c52d63b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -9,7 +9,7 @@ env: NULLSTONE_API_KEY: ${{ secrets.NULLSTONE_API_KEY }} jobs: - publish: + scan: runs-on: ubuntu-latest defaults: diff --git a/deployment.tf b/deployment.tf index 36d34d1..d43a1e0 100644 --- a/deployment.tf +++ b/deployment.tf @@ -34,6 +34,12 @@ resource "kubernetes_deployment_v1" "this" { image = "${local.service_image}:${local.app_version}" args = local.command + security_context { + capabilities { + drop = ["NET_RAW"] + } + } + resources { limits = { cpu = var.cpu