Skip to content

Security updates November 2023 #8725

Security updates November 2023

Security updates November 2023 #8725

---
name: Build Validation
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
- 'feature/**'
# for each ref (branch/pr) run just the most recent,
# cancel other pending/running ones
concurrency:
group: "${{ github.workflow }}-${{ github.head_ref }}"
cancel-in-progress: true
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
# Full git history is needed to get a proper list of
# changed files within `super-linter`
fetch-depth: 0
persist-credentials: false
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
terraform:
# our Terraform uses more than just *.tf files, so need to check changes in the folder
- '**/terraform/**/*'
core:
- 'core/**/*'
core_version:
- 'core/version.txt'
docs:
- 'docs/**/*'
terraform_workspaces:
- templates/workspaces/**/terraform/**/*.tf
terraform_shared_services:
- templates/shared_services/**/terraform/**/*.tf
terraform_workspace_services:
- templates/workspace_services/**/terraform/**/*.tf
- name: Terraform format check
if: ${{ steps.filter.outputs.terraform == 'true' }}
run: terraform fmt -check -recursive
# find all terraform folders and run validate to catch
# configuration errors
- name: Terraform validation
if: ${{ steps.filter.outputs.terraform == 'true' }}
run: |
find . -type d -name 'terraform' -not -path '*cnab*' -print0 \
| xargs -0 -I{} sh -c 'echo "***** Validating: {} *****"; \
terraform -chdir={} init -backend=false; terraform -chdir={} validate'
- name: "Stale version: core"
if: ${{ steps.filter.outputs.core == 'true' &&
steps.filter.outputs.core_version == 'false' }}
run: echo "::error::Code update without version change" && exit 1
- name: Lint code base
# the slim image is 2GB smaller and we don't use the extra stuff
# Moved this after the Terraform checks above due something similar to this issue:
# https://github.com/github/super-linter/issues/2433
uses: github/super-linter/[email protected]
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_MARKDOWN: true
VALIDATE_PYTHON_FLAKE8: true
VALIDATE_YAML: true
VALIDATE_TERRAFORM_TFLINT: true
VALIDATE_JAVA: true
JAVA_FILE_NAME: checkstyle.xml
VALIDATE_BASH: true
VALIDATE_BASH_EXEC: true
VALIDATE_GITHUB_ACTIONS: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_TSX: true
VALIDATE_TYPESCRIPT_ES: true
- name: Docs validation
if: ${{ steps.filter.outputs.docs == 'true' }}
run: |
pip install -r docs/requirements.txt
mkdocs build --strict
- name: Workspace Tags
if: ${{ steps.filter.outputs.terraform_workspaces == 'true' }}
uses: github/super-linter/[email protected]
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_TERRAFORM_TFLINT: true
TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspaces.hcl
LINTER_REGEX_INCLUDE: './templates/workspaces/.*'
- name: Workspace Services Tags
if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }}
uses: github/super-linter/[email protected]
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_TERRAFORM_TFLINT: true
TERRAFORM_TFLINT_CONFIG_FILE: .tflint_workspace_services.hcl
LINTER_REGEX_INCLUDE: './templates/workspaces/.*'
FILTER_REGEX_EXCLUDE: '.*user_resource.*'
- name: User Resources Tags
if: ${{ steps.filter.outputs.terraform_workspace_services == 'true' }}
uses: github/super-linter/[email protected]
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_TERRAFORM_TFLINT: true
TERRAFORM_TFLINT_CONFIG_FILE: .tflint_user_resources.hcl
LINTER_REGEX_INCLUDE: './templates/workspace_services/.*/user_resources/.*'
- name: Shared Services Tags
if: ${{ steps.filter.outputs.terraform_shared_services == 'true' }}
uses: github/super-linter/[email protected]
env:
VALIDATE_ALL_CODEBASE: false
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_TERRAFORM_TFLINT: true
TERRAFORM_TFLINT_CONFIG_FILE: .tflint_shared_services.hcl
LINTER_REGEX_INCLUDE: './templates/shared_services/.*'