Skip to content

security: a more comprehensive env.denylist (#24540) #3153

security: a more comprehensive env.denylist (#24540)

security: a more comprehensive env.denylist (#24540) #3153

Workflow file for this run

# Run 'make check' on paths ignored by test-core.yaml.
name: Run checks
on:
pull_request:
paths:
- 'demo/**'
- 'e2e/terraform/**'
- 'terraform/**'
- 'website/**'
push:
branches:
- 'main'
- 'release/**'
paths:
- 'demo/**'
- 'e2e/terraform/**'
- 'terraform/**'
- 'website/**'
workflow_call:
jobs:
checks:
# largest available self-hosted disk for extra iops because linting is io-intensive
runs-on: ${{ endsWith(github.repository, '-enterprise') && fromJSON('["self-hosted", "ondemand", "linux", "disk_gb=255", "type=m7a.2xlarge;m6a.2xlarge"]') || 'custom-linux-xl-nomad-22.04' }}
timeout-minutes: 15
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # needs tags for checkproto
- name: Retrieve Vault-hosted Secrets
if: endsWith(github.repository, '-enterprise')
id: vault
uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
with:
url: ${{ vars.CI_VAULT_URL }}
method: ${{ vars.CI_VAULT_METHOD }}
path: ${{ vars.CI_VAULT_PATH }}
jwtGithubAudience: ${{ vars.CI_VAULT_AUD }}
secrets: |-
kv/data/github/hashicorp/nomad-enterprise/gha ELEVATED_GITHUB_TOKEN ;
- name: Git config token
if: endsWith(github.repository, '-enterprise')
run: git config --global url.'https://${{ env.ELEVATED_GITHUB_TOKEN }}@github.com'.insteadOf 'https://github.com'
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
cache: true
go-version-file: .go-version
cache-dependency-path: '**/go.sum'
- name: Run make check
run: |
make missing
make bootstrap
make check
permissions:
contents: read
id-token: write