chore(deps): update github/codeql-action action to v3.28.4 #309
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: review | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: {} | |
| jobs: | |
| validate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| app.terraform.io:443 | |
| archivist.terraform.io:443 | |
| checkpoint-api.hashicorp.com:443 | |
| github.com:443 | |
| registry.terraform.io:443 | |
| releases.hashicorp.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Setup Teraform | |
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} | |
| - name: Prettify | |
| run: terraform fmt -check | |
| continue-on-error: true | |
| - name: Initialise | |
| run: terraform init | |
| - name: Validate | |
| run: terraform validate -no-color | |
| tflint: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Cache Plugins | |
| uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 | |
| with: | |
| path: ~/.tflint.d/plugins | |
| key: tflint-${{ hashFiles('.tflint.hcl') }} | |
| - name: Setup TFLint | |
| uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 | |
| with: | |
| tflint_version: v0.50.3 | |
| - name: Initialise | |
| run: tflint --init | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| - name: Lint | |
| run: tflint -f compact | |
| trivy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| env: | |
| trivy_sarif: trivy.sarif | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| d2glxqk2uabbnd.cloudfront.net:443 | |
| d5l0dvt14r5h8.cloudfront.net:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| public.ecr.aws:443 | |
| raw.githubusercontent.com:443 | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| show-progress: false | |
| - name: Run with SARIF Output | |
| uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
| with: | |
| scan-type: "fs" | |
| format: "sarif" | |
| output: ${{ env.trivy_sarif }} | |
| env: | |
| TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" | |
| TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db" | |
| - name: Report via GitHub CodeQL | |
| uses: github/codeql-action/upload-sarif@ee117c905ab18f32fa0f66c2fe40ecc8013f3e04 # v3.28.4 | |
| with: | |
| sarif_file: ${{ env.trivy_sarif }} |