Bump step-security/harden-runner from 2.8.1 to 2.9.0 #3171
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Docs: https://docs.github.com/en/actions | |
name: CI/CD | |
on: [push] | |
jobs: | |
lint: | |
name: Lint | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20.x | |
cache: npm | |
- name: Install Dependencies | |
run: npm ci | |
- name: Lint | |
run: npm run lint | |
test: | |
name: Unit Tests | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
registry.npmjs.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Install Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 20.x | |
cache: npm | |
- name: Install Dependencies | |
run: npm ci | |
- name: Run Tests | |
run: npm test | |
docker: | |
name: Build Docker image | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
auth.docker.io:443 | |
docker.io:443 | |
github.com:443 | |
production.cloudflare.docker.com:443 | |
registry-1.docker.io:443 | |
registry.npmjs.org:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Cache node modules | |
id: cache-npm | |
uses: actions/cache@v4 | |
env: | |
cache-name: cache-node-modules | |
with: | |
# npm cache files are stored in `~/.npm` on Linux/macOS | |
path: ~/.npm | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-build-${{ env.cache-name }}- | |
${{ runner.os }}-build- | |
${{ runner.os }}- | |
- if: ${{ steps.cache-npm.outputs.cache-hit != 'true' }} | |
name: List the state of node modules | |
continue-on-error: true | |
run: npm list | |
- name: Build Docker image | |
run: ./bin/build | |
- name: Save Docker image | |
run: docker image save ranger-clubhouse-web:dev | gzip -9 > docker_image.tgz | |
- name: Upload Docker image artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: docker | |
path: docker_image.tgz | |
test-docker: | |
name: Test Docker image | |
needs: [docker] | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Test Docker image | |
run: ./bin/test_docker | |
deploy-staging: | |
name: Deploy code from master branch to the staging environment | |
needs: [docker, test-docker] | |
if: github.ref == 'refs/heads/master' | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
steps: | |
- name: Harden CI | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
- name: Checkout source code | |
uses: actions/checkout@v4 | |
- name: Download Docker image artifacts | |
uses: actions/download-artifact@v4 | |
with: | |
name: docker | |
- name: Load Docker image | |
run: gzip --uncompress --stdout docker_image.tgz | docker image load | |
- name: Install Python | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.7' | |
- name: Deploy to staging | |
run: ./bin/deploy staging | |
env: | |
# https://github.com/burningmantech/ranger-secret-clubhouse/settings/secrets | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
AWS_ECR_IMAGE_NAME: ${{ secrets.AWS_ECR_IMAGE_NAME }} | |
AWS_ECS_CLUSTER_STAGING: rangers | |
AWS_ECS_SERVICE_STAGING: ${{ secrets.AWS_ECS_SERVICE_STAGING }} | |
NOTIFY_SMTP_HOST: ${{ secrets.NOTIFY_SMTP_HOST }} | |
NOTIFY_SMTP_USER: ${{ secrets.NOTIFY_SMTP_USER }} | |
NOTIFY_SMTP_PASSWORD: ${{ secrets.NOTIFY_SMTP_PASSWORD }} | |
NOTIFY_EMAIL_RECIPIENT: ${{ secrets.NOTIFY_EMAIL_RECIPIENT }} | |
NOTIFY_EMAIL_SENDER: ${{ secrets.NOTIFY_EMAIL_SENDER }} | |
CI: true | |
PROJECT_NAME: Ranger Secret Clubhouse Web Application | |
REPOSITORY_ID: ${{ github.repository }} | |
BUILD_NUMBER: 0 | |
BUILD_URL: https://github.com/burningmantech/ranger-secret-clubhouse/commit/${{ github.sha }}/checks | |
COMMIT_ID: ${{ github.event.head_commit.id }} | |
COMMIT_URL: ${{ github.event.head_commit.url }} | |
COMMIT_AUTHOR_USER: ${{ github.event.head_commit.author.username }} | |
COMMIT_AUTHOR_NAME: ${{ github.event.head_commit.author.name }} | |
COMMIT_AUTHOR_EMAIL: ${{ github.event.head_commit.author.email }} | |
COMMIT_MESSAGE: ${{ github.event.head_commit.message }} |