Merge pull request #16 from nathanjnorris/dependabot

Add dependency review to workflows
nathanjnorris · Mar 19, 2024 · 5eb5608 · 5eb5608
2 parents 9caa75b + ee2740a
commit 5eb5608
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 14 deletions.
diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml
@@ -71,4 +71,16 @@ jobs:
           package-name: ${{ env.IMAGE_NAME }}
           package-type: 'container'
           min-versions-to-keep: 5
-          delete-only-pre-release-versions: "true"
+          delete-only-pre-release-versions: "true"
+
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
diff --git a/README.md b/README.md
@@ -5,39 +5,39 @@ A GitHub Action that runs a Docker container, which lets you SSH into a server b
 This repo is forked from [npgy/cloudflared-ssh-action](https://github.com/npgy/cloudflared-ssh-action) 
 
 The Dockerfile has been updated to:
-- Pull the 'latest' alpine image tag
-- Download the latest Cloudflare Tunnel (cloudflared) binary 
+- Pull the _latest_ alpine image tag.
+- Install the latest Cloudflare Tunnel (cloudflared) binary.
+- Utilise [service tokens](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/) for authentication.
 
-### PRs
-Branch protection rules require a PR before code can be merged to main. \
-The PR workflow in this repo also uses the [Trivy scanner](https://github.com/aquasecurity/trivy) to check the iamge for vulnerabilities. \
-If there's a Critical or High CVE found in the image, the PR workflow will fail. \
-Daily, dependabot will check upstream base Apline Linux image or Github Actions have been updated, and raise PRs. \
-A successful merge into main will update the 'latest' tagged image uploaded to GitHub Packages.
+## Workflows
+Branch protection rules require a PR before code can be merged into _main_. The workflows will:
+- Use the [Trivy scanner](https://github.com/aquasecurity/trivy) to check the image for vulnerabilities. If there's a High or Critical CVEs found in the image, the workflow will fail. \
+- Dependabot will check upstream base Apline Linux image or Github Actions for updates.
+  
+A successful merge into _main_ will update the _latest_ release and update the _latest_ tagged container image uploaded to GitHub Packages.
 
 ## Usage
 
 Here is an example deploy.yaml file for the action:  
 ```yaml
-name: SSH on cloudflared remote server
+name: Run command on remote server
 on:
   pull_request:
     types:
       - closed
 jobs:
-  deploy:
-    name: Run SSH command
+  ssh:
     runs-on: ubuntu-latest
     steps:
-    - name: Connect to remote server, run command
+    - name: SSH onto cloudflared server
       uses: nathanjnorris/cloudflared-ssh-action@latest
       with:
         host: ${{ secrets.SSH_HOST }}
         username: ${{ secrets.SSH_USERNAME }}
         private_key_filename: ${{ secrets.SSH_PRIVATE_KEY_FILENAME }}
         private_key_value: ${{ secrets.SSH_PRIVATE_KEY_VALUE }}
         port: ${{ secrets.SSH_PORT }}
-        commands: mkdir hello-world -v
         service_token_id: ${{ secrets.SERVICE_TOKEN_ID }}
         service_token_secret: ${{ secrets.SERVICE_TOKEN_SECRET }}
+        commands: mkdir hello-world -v
 ```