Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: Harden GHA workflows #335

Merged
merged 60 commits into from
Sep 18, 2023
Merged

Feat: Harden GHA workflows #335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
1191d9d
taskfile_lambda_builder configurable with var.autobuild
TylerHendrickson Sep 7, 2023
f79e39c
Incorporate autobuild config into Lambda modules
TylerHendrickson Sep 7, 2023
59b6156
Harden CI workflow
TylerHendrickson Sep 7, 2023
12d8290
Remove unused cache path
TylerHendrickson Sep 7, 2023
702e9c8
Apply policies from harden-runner audits
TylerHendrickson Sep 7, 2023
41fe984
Apply policies from harden-runner audits
TylerHendrickson Sep 7, 2023
30ceaaa
Fix job output/input references
TylerHendrickson Sep 7, 2023
d1ccdf2
Update cache paths
TylerHendrickson Sep 7, 2023
79cd760
Add "Code Scanning" workflow
TylerHendrickson Sep 13, 2023
b4d1503
Add reusable "Build" workflow
TylerHendrickson Sep 13, 2023
decf9ef
Add reusable "QA Checks" workflow
TylerHendrickson Sep 13, 2023
3212a7c
Add reusable "Terraform Plan" workflow
TylerHendrickson Sep 13, 2023
9522dc6
Update CI workflow
TylerHendrickson Sep 13, 2023
201bd2c
Add pull_request trigger to CI workflow for testing
TylerHendrickson Sep 13, 2023
84f90bc
Remove old CodeQL workflow
TylerHendrickson Sep 13, 2023
cca2179
Remove pull_request_target trigger from CI workflow for testing
TylerHendrickson Sep 13, 2023
4f4829d
Fix permissions issue
TylerHendrickson Sep 13, 2023
81011fe
Remove unused permission
TylerHendrickson Sep 13, 2023
55819e7
Allow egress to storage.googleapis.com:443
TylerHendrickson Sep 13, 2023
b91bcbc
Debugging restore path
TylerHendrickson Sep 13, 2023
908b98e
Fix path issues
TylerHendrickson Sep 13, 2023
81b5ce4
Do not save taskfile cache in build jobs
TylerHendrickson Sep 13, 2023
2cf9d7c
Skip build-cli when input is false
TylerHendrickson Sep 13, 2023
e733d7f
Debugging terraform
TylerHendrickson Sep 13, 2023
26e3583
Don't use Taskfile cache during build steps (not useful)
TylerHendrickson Sep 13, 2023
2ab333b
Debug missing env vars
TylerHendrickson Sep 13, 2023
f31c120
Reorder job steps
TylerHendrickson Sep 13, 2023
47855d0
Testing build-cli job
TylerHendrickson Sep 14, 2023
a44260d
Securely pass STS credentials
TylerHendrickson Sep 14, 2023
11e686e
Remove debugging step
TylerHendrickson Sep 14, 2023
60f2cc5
Fix secret name
TylerHendrickson Sep 14, 2023
9b438d8
Evaluate conditional expressions correctly in build jobs
TylerHendrickson Sep 14, 2023
1b0dc83
Set github outputs to encrypted STS values
TylerHendrickson Sep 14, 2023
8adc2c2
Fix typo in env var
TylerHendrickson Sep 14, 2023
6456881
Fix invalid secret ref
TylerHendrickson Sep 14, 2023
6c73520
Publish plan results
TylerHendrickson Sep 14, 2023
5e16396
Fix ambiguous redirect to GITHUB_OUTPUT
TylerHendrickson Sep 14, 2023
da5a99d
Remove line with ambiguous redirect to GITHUB_OUTPUT
TylerHendrickson Sep 14, 2023
379e9f9
Follow the docs for multiline outputs
TylerHendrickson Sep 14, 2023
41111a1
Trying a different way
TylerHendrickson Sep 14, 2023
b26bd28
No equals for multiline GITHUB_OUTPUT delimeter
TylerHendrickson Sep 14, 2023
8033b02
Starting to fix plan comment formatting (round 1)
TylerHendrickson Sep 14, 2023
0fec3e0
Remove step-skip conditional
TylerHendrickson Sep 14, 2023
2c949f7
Direct to GITHUB_OUTPUT (just testing)
TylerHendrickson Sep 14, 2023
09265e9
Use env inputs for report variables
TylerHendrickson Sep 15, 2023
f9b41ea
Pack binaries and report checksums
TylerHendrickson Sep 15, 2023
f4d56b9
Allow build job egress to raw.githubusercontent.com:443
TylerHendrickson Sep 15, 2023
e01b550
Correct UPX version tag (uses v prefix)
TylerHendrickson Sep 15, 2023
97e1351
Fix build-lambdas reporting
TylerHendrickson Sep 15, 2023
94a3e18
Fix shell quoting
TylerHendrickson Sep 15, 2023
4f3a645
Clean up build reports
TylerHendrickson Sep 15, 2023
19a75a5
Tweaks for consistent gpg usage
TylerHendrickson Sep 15, 2023
de3c109
Make artifact retention configurable
TylerHendrickson Sep 15, 2023
190b69f
Add reusable 'Publish Terraform Plan' workflow
TylerHendrickson Sep 15, 2023
a81efe4
Add reusable "Configure AWS Credentials" workflow
TylerHendrickson Sep 15, 2023
9b4a069
Add reusable "Terraform Apply" workflow
TylerHendrickson Sep 15, 2023
25c486d
Cleanup terraform plan workflow
TylerHendrickson Sep 15, 2023
2691166
Use reusable workflows for CI/CD automation
TylerHendrickson Sep 15, 2023
6b5c642
Testing refactored workflows (empty commit)
TylerHendrickson Sep 15, 2023
10cc39e
Change CI workflow trigger
TylerHendrickson Sep 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/workflows/aws-auth.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Configure AWS Credentials

on:
workflow_call:
inputs:
aws-region:
type: string
required: true
secrets:
role-to-assume:
required: true
gpg-passphrase:
required: true
outputs:
aws-access-key-id:
value: ${{ jobs.oidc-auth.outputs.aws-access-key-id }}
aws-secret-access-key:
value: ${{ jobs.oidc-auth.outputs.aws-secret-access-key }}
aws-session-token:
value: ${{ jobs.oidc-auth.outputs.aws-session-token }}

permissions:
contents: read
id-token: write

jobs:
oidc-auth:
name: OIDC Auth
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
outputs:
aws-access-key-id: ${{ steps.encrypt-aws-access-key-id.outputs.out }}
aws-secret-access-key: ${{ steps.encrypt-aws-secret-access-key.outputs.out }}
aws-session-token: ${{ steps.encrypt-aws-session-token.outputs.out }}
steps:
- uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
with:
disable-sudo: true
egress-policy: audit
- id: auth
uses: aws-actions/configure-aws-credentials@04b98b3f9e85f563fb061be8751a0352327246b0 # v3.0.1
with:
aws-region: us-west-2
role-to-assume: "${{ secrets.role-to-assume }}"
- id: encrypt-aws-access-key-id
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_ACCESS_KEY_ID") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
- id: encrypt-aws-secret-access-key
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SECRET_ACCESS_KEY") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
- id: encrypt-aws-session-token
run: |
encrypted=$(gpg --batch --yes --passphrase "$GPG_PASSPHRASE" -c --cipher-algo AES256 -o - <(echo "$AWS_SESSION_TOKEN") | base64 -w0)
echo "out=$encrypted" >> $GITHUB_OUTPUT
env:
GPG_PASSPHRASE: ${{ secrets.gpg-passphrase }}
97 changes: 0 additions & 97 deletions .github/workflows/build-and-deploy.yml
View file
Open in desktop

This file was deleted.

Loading