chore(deps): bump the gha-minor-patch group across 1 directory with 3 updates #717

Workflow file for this run

.github/workflows/bullfrog.yml at 62c4bdf

	name: Build, test and release

	on:
	push:
	branches:
	- main

	pull_request:
	types: [opened, synchronize, reopened]
	branches:
	- main

	permissions:
	contents: read

	jobs:
	check-diff:
	permissions:
	contents: read
	pull-requests: read
	runs-on: ubuntu-22.04
	outputs:
	diff: ${{ steps.changes.outputs.src }}
	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	github.com
	api.github.com
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- uses: fallard84/paths-filter@dfb4213208eb30382ee3e27b8a810fc3fb8cc911 # v3.0.3
	id: changes
	with:
	predicate-quantifier: "every"
	filters: \|
	src:
	- '*/'
	- '!*/.md'

	build:
	runs-on: ubuntu-22.04
	timeout-minutes: 5
	needs: check-diff
	if: ${{ needs.check-diff.outputs.diff == 'true' }}
	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	github.com
	registry.npmjs.org

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Build
	run: \|
	make bootstrap
	make build

	- name: Run Unit Tests
	run: \|
	make test.unit

	- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
	with:
	name: build-artifacts
	path: \|
	action/dist

	check-artifacts:
	needs: build
	runs-on: ubuntu-22.04
	timeout-minutes: 5

	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	github.com

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	name: build-artifacts

	- name: Check Artifact Build
	run: \|
	make test.artifacts

	test-lint:
	runs-on: ubuntu-22.04
	timeout-minutes: 5

	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	registry.npmjs.org
	github.com

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Bootstrap
	run: \|
	make bootstrap

	- name: Lint
	run: \|
	make test.lint

	- name: Types
	run: \|
	make test.types

	test-integration:
	needs: build
	runs-on: ${{ matrix.runner }}
	timeout-minutes: 5
	strategy:
	matrix:
	include:
	- runner: ubuntu-22.04
	arch: amd64
	- runner: ubuntu-24.04
	arch: amd64
	- runner: ubuntu-22.04-arm
	arch: arm64
	- runner: ubuntu-24.04-arm
	arch: arm64
	- runner: ubuntu-24.04
	arch: amd64-slim
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	name: build-artifacts

	- name: Enable egress filtering
	uses: ./
	with:
	egress-policy: block
	allowed-domains: \|
	www.google.com

	- name: Verify blocking works
	run: \|
	if curl https://www.google.com --max-time 5 --output /dev/null; then
	echo "Allowed domain works"
	else
	echo "Expected curl to allowed domain to succeed"
	exit 1
	fi

	if curl https://www.bing.com --max-time 5 --output /dev/null; then
	echo "Block failed - unauthorized domain accessible"
	exit 1
	fi

	pre-release:
	if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	runs-on: ubuntu-22.04
	permissions:
	contents: write
	pull-requests: write
	needs: [build, check-artifacts, test-lint, test-integration]
	outputs:
	release_created: ${{ steps.release.outputs.release_created }}
	tag_name: ${{ steps.release.outputs.tag_name }}
	major: ${{ steps.release.outputs.major }}
	minor: ${{ steps.release.outputs.minor }}
	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	github.com
	api.github.com

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1
	if: github.event_name == 'push'
	id: release
	with:
	config-file: release-please-config.json
	manifest-file: .release-please-manifest.json
	token: ${{ secrets.BULLFROG_BOT_PAT }}

	pre-release-validation:
	needs: pre-release
	if: ${{ needs.pre-release.outputs.release_created }}
	runs-on: ubuntu-22.04
	timeout-minutes: 2

	steps:
	# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow.
	- uses: jenseng/dynamic-uses@8bc24f0360175e710da532c4d19eafdbed489a06
	with:
	uses: ${{ github.repository }}@${{ needs.pre-release.outputs.tag_name }}
	with: '{"allowed-domains": "www.google.com", "egress-policy": "block"}'

	- name: Make HTTP requests
	run: \|
	if ! curl https://www.google.com --output /dev/null; then
	echo 'Expected curl to www.google.com to succeed, but it failed';
	exit 1;
	fi;

	if curl https://www.bing.com --max-time 5 --output /dev/null; then
	echo 'Expected curl to www.bing.com to fail, but it succeeded';
	exit 1;
	fi;

	release:
	runs-on: ubuntu-22.04
	permissions:
	contents: write
	needs: [pre-release, pre-release-validation]
	steps:
	- name: Enable egress filtering
	uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
	with:
	egress-policy: block
	api-token: ${{ secrets.BULLFROG_API_TOKEN }}
	allowed-domains: \|
	github.com
	api.github.com

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Promote to a release
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	gh release edit ${{ needs.pre-release.outputs.tag_name }} --prerelease=false --latest
	git config user.name github-actions[bot]
	git config user.email 41898282+github-actions[bot]@users.noreply.github.com
	git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
	git tag -d v${{ needs.pre-release.outputs.major }} \|\| true
	git tag -d v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} \|\| true
	git push origin :v${{ needs.pre-release.outputs.major }} \|\| true
	git push origin :v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} \|\| true
	git tag -a v${{ needs.pre-release.outputs.major }} -m "Release v${{ needs.pre-release.outputs.major }}"
	git tag -a v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} -m "Release v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}"
	git push origin v${{ needs.pre-release.outputs.major }}
	git push origin v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the gha-minor-patch group across 1 directory with 3 updates #717

Workflow file

chore(deps): bump the gha-minor-patch group across 1 directory with 3 updates #717

Uh oh!

Workflow file for this run