diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 61ab04e2..e14d00ad 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -31,39 +31,33 @@ jobs: service_name: ${{ steps.vars.outputs.service_name }} image_tag: ${{ steps.vars.outputs.image_tag }} image_name: ${{ steps.vars.outputs.image_name }} + kosli_flow: ${{ steps.vars.outputs.kosli_flow }} kosli_trail: ${{ steps.vars.outputs.kosli_trail }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - uses: actions/checkout@v6 - with: - fetch-depth: 1 + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main - name: Prepare outputs for workflow jobs id: vars run: | - ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" - IMAGE_TAG=${GITHUB_SHA:0:7} - IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" + ECR_REGISTRY="${AWS_ECR_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" + IMAGE_TAG=${GITHUB_SHA:0:7} + IMAGE_NAME="${ECR_REGISTRY}/${{ env.SERVICE_NAME }}:${IMAGE_TAG}" { - echo "aws_account_id_beta=${AWS_ACCOUNT_ID_BETA}" - echo "ecr_registry=${ECR_REGISTRY}" - echo "aws_region=${AWS_REGION}" - echo "gh_actions_iam_role_name=gh_actions_services" - echo "service_name=${{ env.SERVICE_NAME }}" - echo "image_tag=${IMAGE_TAG}" - echo "image_name=${IMAGE_NAME}" - echo "kosli_trail=${KOSLI_TRAIL}" - } > ${GITHUB_OUTPUT} + echo "aws_account_id_beta=${AWS_ACCOUNT_ID_BETA}" + echo "ecr_registry=${ECR_REGISTRY}" + echo "aws_region=${AWS_REGION}" + echo "gh_actions_iam_role_name=gh_actions_services" + echo "service_name=${{ env.SERVICE_NAME }}" + echo "image_tag=${IMAGE_TAG}" + echo "image_name=${IMAGE_NAME}" + echo "kosli_flow=${KOSLI_FLOW}" + echo "kosli_trail=${KOSLI_TRAIL}" + } > ${GITHUB_OUTPUT} - name: Begin Kosli Trail - if: ${{ github.ref == 'refs/heads/main' }} uses: cyber-dojo/kosli-begin-trail@main with: - cli_version: "${{ vars.KOSLI_CLI_VERSION }}" flow_description: "Diff files from two traffic-lights" @@ -76,19 +70,9 @@ jobs: contents: read pull-requests: read steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - uses: actions/checkout@v6 - with: - fetch-depth: 1 - - - name: Setup Kosli CLI - uses: kosli-dev/setup-cli-action@v3 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main + - uses: cyber-dojo/setup-kosli-cli@main - name: Attest pull-request evidence to Kosli run: @@ -101,25 +85,14 @@ jobs: runs-on: ubuntu-latest needs: [setup] steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - uses: actions/checkout@v6 - with: - fetch-depth: 1 + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main + - uses: cyber-dojo/setup-kosli-cli@main - name: Run Rubocop linter on source run: make rubocop_lint - - name: Setup Kosli CLI - if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} - uses: kosli-dev/setup-cli-action@v3 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} - - name: Attest evidence to Kosli if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} run: @@ -139,7 +112,7 @@ jobs: image_tag: ${{ needs.setup.outputs.image_tag }} image_build_args: | COMMIT_SHA=${{ github.sha }} - kosli_flow: ${{ vars.KOSLI_FLOW }} + kosli_flow: ${{ needs.setup.outputs.kosli_flow }} kosli_trail: ${{ needs.setup.outputs.kosli_trail }} kosli_reference_name: ${{ needs.setup.outputs.service_name }} attest_to_kosli: ${{ github.ref == 'refs/heads/main' }} @@ -148,12 +121,13 @@ jobs: snyk-container-scan: - needs: [build-image] + if: ${{ github.ref == 'refs/heads/main' }} + needs: [setup, build-image] uses: cyber-dojo/snyk-scanning/.github/workflows/artifact_snyk_test.yml@main with: artifact_name: ${{ needs.build-image.outputs.tagged_image_name }} - kosli_flow: ${{ vars.KOSLI_FLOW }} - kosli_trail: ${{ github.sha }} + kosli_flow: ${{ needs.setup.outputs.kosli_flow }} + kosli_trail: ${{ needs.setup.outputs.kosli_trail }} kosli_attestation_name: differ.snyk-container-scan secrets: snyk_token: ${{ secrets.SNYK_TOKEN }} @@ -166,30 +140,19 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main + - uses: cyber-dojo/setup-kosli-cli@main - name: Download docker image uses: cyber-dojo/download-artifact@main with: image_digest: ${{ needs.build-image.outputs.digest }} - - uses: actions/checkout@v6 - with: - fetch-depth: 1 - - name: Run unit tests with metrics checks run: make test_server metrics_test_server metrics_coverage_server - - name: Setup Kosli CLI - if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} - uses: kosli-dev/setup-cli-action@v3 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} - - name: Attest junit test evidence to Kosli if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} run: @@ -220,30 +183,19 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main + - uses: cyber-dojo/setup-kosli-cli@main - name: Download docker image uses: cyber-dojo/download-artifact@main with: image_digest: ${{ needs.build-image.outputs.digest }} - - uses: actions/checkout@v6 - with: - fetch-depth: 1 - - name: Run integration tests with metrics checks run: make image_client test_client metrics_test_client metrics_coverage_client - - name: Setup Kosli CLI - if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} - uses: kosli-dev/setup-cli-action@v3 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} - - name: Attest junit test evidence to Kosli if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} run: @@ -274,14 +226,8 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - uses: actions/checkout@v6 - with: - fetch-depth: 0 + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/pinned-checkout@main - name: Run SonarCloud scan - report results to Kosli (in Kosli webhook) env: @@ -300,31 +246,24 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest needs: - - build-image - pull-request - rubocop-lint + - build-image - unit-tests - integration-tests - sonarcloud-scan - snyk-container-scan - env: - KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - name: Setup Kosli CLI - uses: kosli-dev/setup-cli-action@v3 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} + - uses: cyber-dojo/harden-runner@main + - uses: cyber-dojo/setup-kosli-cli@main - name: Display current compliance run: kosli get trail "${KOSLI_TRAIL}" - name: Kosli SDLC gate to short-circuit the workflow + env: + KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} run: kosli assert artifact --environment=${KOSLI_AWS_BETA}