Skip to content

Continuous Integration Secure #15095

Continuous Integration Secure

Continuous Integration Secure #15095

name: Continuous Integration Secure
# Secure execution of continuous integration jobs
# which are performed upon completion of the
# "Continuous Integration" workflow
# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
on:
workflow_run:
workflows: ['Continuous Integration']
types: [completed]
permissions:
deployments: write
packages: write
pull-requests: write
jobs:
preview-image:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.conclusion == 'success' && (
github.event.workflow_run.event == 'pull_request' || (
github.event.workflow_run.event == 'push' &&
github.event.workflow_run.head_branch == 'main'
)
)
env:
PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0] != null && github.event.workflow_run.pull_requests[0].number || '' }}
IMAGE_REPO: ghcr.io/${{ github.repository }}/storybook-preview
steps:
- uses: actions/checkout@v3
- name: Download artifacts
uses: ./.github/actions/download-artifacts-from-workflow
with:
artifacts: 'storybook'
- run: mkdir -p dist/storybook
- run: unzip storybook.zip -d dist/storybook
- name: Remove files with forbidden extensions
run: node ./scripts/clean-storybook-files.cjs
- name: Create GitHub Deployment
id: tag-name
uses: actions/github-script@v6
with:
script: |
const environment = process.env.PR_NUMBER ? `preview-pr${process.env.PR_NUMBER}` : 'preview-main';
const payload = { owner: context.repo.owner, repo: context.repo.repo, environment };
const { data: deployment } = await github.rest.repos.createDeployment({
...payload,
ref: context.payload.workflow_run.head_sha,
auto_merge: false,
required_contexts: ['integrity', 'build', 'test', 'lint']
});
await github.rest.repos.createDeploymentStatus({
...payload,
deployment_id: deployment.id,
state: 'in_progress',
environment_url: `https://${context.repo.repo}-${environment}.app.sbb.ch`,
});
return environment;
result-encoding: string
- name: 'Container: Login to GitHub Container Repository'
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io --username ${{ github.actor }} --password-stdin
- name: 'Container: Build image'
run: docker build -t $IMAGE_REPO:${{ steps.tag-name.outputs.result }} .
env:
DOCKER_BUILDKIT: 1
- name: 'Container: Publish image'
run: docker push $IMAGE_REPO:${{ steps.tag-name.outputs.result }}
- name: "Add 'preview-available' label"
if: env.PR_NUMBER != ''
# This label is used for filtering deployments in ArgoCD
uses: actions-ecosystem/action-add-labels@v1
with:
labels: 'preview-available'
number: ${{ env.PR_NUMBER }}
codecov:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- uses: actions/checkout@v3
- name: Download artifacts
uses: ./.github/actions/download-artifacts-from-workflow
with:
artifacts: 'pr, coverage'
- run: unzip pr.zip
- run: mkdir coverage
- run: unzip coverage.zip -d coverage
- name: Read PR number
id: pr-number
run: echo "pr=$(<NR)" >> $GITHUB_OUTPUT
shell: bash
- uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
directory: coverage
override_branch: ${{ github.event.workflow_run.head_branch }}
override_commit: ${{ github.event.workflow_run.head_commit.id }}
override_pr: ${{ steps.pr-number.outputs.pr }}
fail_ci_if_error: true
verbose: true