From 08fa9ca71f0d488eeb1fa2906fcfd748a21d6246 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:36:35 -0700 Subject: [PATCH 1/4] Add dependency review to workflows --- .github/workflows/on_pr.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index e628185..aaeddd8 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -71,4 +71,14 @@ jobs: package-name: ${{ env.IMAGE_NAME }} package-type: 'container' min-versions-to-keep: 5 - delete-only-pre-release-versions: "true" \ No newline at end of file + delete-only-pre-release-versions: "true" + + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Dependency review + uses: actions/dependency-review-action@v4 From 7f86ef5ea639a839eed5bae2ea1cd9483a22a7fb Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:39:20 -0700 Subject: [PATCH 2/4] Fail on high and above --- .github/workflows/on_pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index aaeddd8..c79330a 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -82,3 +82,5 @@ jobs: uses: actions/checkout@v4 - name: Dependency review uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high From 20e8785b353b36a871372c91955999a6a2dcb5a9 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:48:48 -0700 Subject: [PATCH 3/4] Update README.md --- README.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 81f4360..1e29703 100644 --- a/README.md +++ b/README.md @@ -5,31 +5,30 @@ A GitHub Action that runs a Docker container, which lets you SSH into a server b This repo is forked from [npgy/cloudflared-ssh-action](https://github.com/npgy/cloudflared-ssh-action) The Dockerfile has been updated to: -- Pull the 'latest' alpine image tag -- Download the latest Cloudflare Tunnel (cloudflared) binary +- Pull the _latest_ alpine image tag. +- Install the latest Cloudflare Tunnel (cloudflared) binary. +- Utilise [service tokens](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/) for authentication. ### PRs -Branch protection rules require a PR before code can be merged to main. \ -The PR workflow in this repo also uses the [Trivy scanner](https://github.com/aquasecurity/trivy) to check the iamge for vulnerabilities. \ -If there's a Critical or High CVE found in the image, the PR workflow will fail. \ -Daily, dependabot will check upstream base Apline Linux image or Github Actions have been updated, and raise PRs. \ -A successful merge into main will update the 'latest' tagged image uploaded to GitHub Packages. +Branch protection rules require a PR before code can be merged into _main_. The workflows will: +- Use the [Trivy scanner](https://github.com/aquasecurity/trivy) to check the image for vulnerabilities. If there's a High or Critical CVEs found in the image, the workflow will fail. \ +- Dependabot will check upstream base Apline Linux image or Github Actions for updates. \ +A successful merge into _main_ will update the _latest_ release and update the _latest_ tagged container image uploaded to GitHub Packages. ## Usage Here is an example deploy.yaml file for the action: ```yaml -name: SSH on cloudflared remote server +name: Run command on remote server on: pull_request: types: - closed jobs: - deploy: - name: Run SSH command + ssh: runs-on: ubuntu-latest steps: - - name: Connect to remote server, run command + - name: SSH onto cloudflared server uses: nathanjnorris/cloudflared-ssh-action@latest with: host: ${{ secrets.SSH_HOST }} @@ -37,7 +36,7 @@ jobs: private_key_filename: ${{ secrets.SSH_PRIVATE_KEY_FILENAME }} private_key_value: ${{ secrets.SSH_PRIVATE_KEY_VALUE }} port: ${{ secrets.SSH_PORT }} - commands: mkdir hello-world -v service_token_id: ${{ secrets.SERVICE_TOKEN_ID }} service_token_secret: ${{ secrets.SERVICE_TOKEN_SECRET }} + commands: mkdir hello-world -v ``` From ee2740a32d89be73da6b8659d343d0152612b642 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Mon, 18 Mar 2024 20:50:02 -0700 Subject: [PATCH 4/4] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1e29703..1638e07 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,11 @@ The Dockerfile has been updated to: - Install the latest Cloudflare Tunnel (cloudflared) binary. - Utilise [service tokens](https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/) for authentication. -### PRs +## Workflows Branch protection rules require a PR before code can be merged into _main_. The workflows will: - Use the [Trivy scanner](https://github.com/aquasecurity/trivy) to check the image for vulnerabilities. If there's a High or Critical CVEs found in the image, the workflow will fail. \ -- Dependabot will check upstream base Apline Linux image or Github Actions for updates. \ +- Dependabot will check upstream base Apline Linux image or Github Actions for updates. + A successful merge into _main_ will update the _latest_ release and update the _latest_ tagged container image uploaded to GitHub Packages. ## Usage