Skip to content

[#patch] harden workflows #91

[#patch] harden workflows

[#patch] harden workflows #91

name: auto-tag
on:
push:
branches:
- main
paths:
- .github/workflows/*.yml
- auto-tagger/**
- "!.github/workflows/local-*.yml"
concurrency:
group: ghas-auto-tagger-${{ github.ref }}
jobs:
auto-tag:
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
# v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# v4.2.2
- name: Get changed files for each workflow and action
id: changed-files
uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366
# v45.0.5
with:
files_yaml: |
docker-build-and-push:
- .github/workflows/docker-build-and-push.yml
gitleaks:
- .github/workflows/gitleaks.yml
go-ci:
- .github/workflows/go-ci.yml
go-security-scan:
- .github/workflows/go-security-scan.yml
infra-security-scan:
- .github/workflows/infra-security-scan.yml
python-ci:
- .github/workflows/python-ci.yml
rust-ci:
- .github/workflows/rust-ci.yml
auto-tagger:
- auto-tagger/**
- name: Run auto-tag if docker-build-and-push workflow changes
if: steps.changed-files.outputs.docker-build-and-push_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/docker-build-and-push.yml
prefix: docker-build-and-push-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if gitleaks workflow changes
if: steps.changed-files.outputs.gitleaks_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/gitleaks.yml
prefix: gitleaks-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if go-ci workflow changes
if: steps.changed-files.outputs.go-ci_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/go-ci.yml
prefix: go-ci-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if go-security-scan workflow changes
if: steps.changed-files.outputs.go-security-scan_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/go-security-scan.yml
prefix: go-sec-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if infra-security-scan workflow changes
if: steps.changed-files.outputs.infra-security-scan_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/infra-security-scan.yml
prefix: infra-scan-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if python-ci workflow changes
if: steps.changed-files.outputs.python-ci_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/python-ci.yml
prefix: python-ci-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if rust-ci workflow changes
if: steps.changed-files.outputs.rust-ci_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: .github/workflows/rust-ci.yml
prefix: rust-ci-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false
- name: Run auto-tag if auto-tagger action changes
if: steps.changed-files.outputs.auto-tagger_any_changed == 'true'
# kics-scan ignore-line
uses: notdodo/github-actions/auto-tagger@auto-tagger-v0
with:
bind_to_major: true
default_bump_strategy: skip
default_branch: main
path: ./auto-tagger/
prefix: auto-tagger-v
github_token: ${{ secrets.GITHUB_TOKEN }}
dry_run: false