-
Notifications
You must be signed in to change notification settings - Fork 8
268 lines (233 loc) · 8.42 KB
/
bullfrog.yml
File metadata and controls
268 lines (233 loc) · 8.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
name: Build, test and release
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened]
branches:
- main
permissions:
contents: read
jobs:
check-diff:
permissions:
contents: read
pull-requests: read
runs-on: ubuntu-22.04
outputs:
diff: ${{ steps.changes.outputs.src }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
github.com
api.github.com
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: fallard84/paths-filter@dfb4213208eb30382ee3e27b8a810fc3fb8cc911 # v3.0.3
id: changes
with:
predicate-quantifier: "every"
filters: |
src:
- '**/*'
- '!**/*.md'
build:
runs-on: ubuntu-22.04
timeout-minutes: 5
needs: check-diff
if: ${{ needs.check-diff.outputs.diff == 'true' }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
github.com
registry.npmjs.org
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Build
run: |
make bootstrap
make build
- name: Run Unit Tests
run: |
make test.unit
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: build-artifacts
path: |
action/dist
check-artifacts:
needs: build
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
github.com
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: build-artifacts
- name: Check Artifact Build
run: |
make test.artifacts
test-lint:
runs-on: ubuntu-22.04
timeout-minutes: 5
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
registry.npmjs.org
github.com
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Bootstrap
run: |
make bootstrap
- name: Lint
run: |
make test.lint
- name: Types
run: |
make test.types
test-integration:
needs: build
runs-on: ${{ matrix.runner }}
timeout-minutes: 5
strategy:
matrix:
include:
- runner: ubuntu-22.04
arch: amd64
- runner: ubuntu-24.04
arch: amd64
- runner: ubuntu-22.04-arm
arch: arm64
- runner: ubuntu-24.04-arm
arch: arm64
- runner: ubuntu-24.04
arch: amd64-slim
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: build-artifacts
- name: Enable egress filtering
uses: ./
with:
egress-policy: block
allowed-domains: |
www.google.com
- name: Verify blocking works
run: |
if curl https://www.google.com --max-time 5 --output /dev/null; then
echo "Allowed domain works"
else
echo "Expected curl to allowed domain to succeed"
exit 1
fi
if curl https://www.bing.com --max-time 5 --output /dev/null; then
echo "Block failed - unauthorized domain accessible"
exit 1
fi
pre-release:
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
runs-on: ubuntu-22.04
permissions:
contents: write
pull-requests: write
needs: [build, check-artifacts, test-lint, test-integration]
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
major: ${{ steps.release.outputs.major }}
minor: ${{ steps.release.outputs.minor }}
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
github.com
api.github.com
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1
if: github.event_name == 'push'
id: release
with:
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
token: ${{ secrets.BULLFROG_BOT_PAT }}
pre-release-validation:
needs: pre-release
if: ${{ needs.pre-release.outputs.release_created }}
runs-on: ubuntu-22.04
timeout-minutes: 2
steps:
# This job intentionally skips `actions/checkout` to simulate bullfrog's action as if it were called from another workflow.
- uses: jenseng/dynamic-uses@8bc24f0360175e710da532c4d19eafdbed489a06
with:
uses: ${{ github.repository }}@${{ needs.pre-release.outputs.tag_name }}
with: '{"allowed-domains": "www.google.com", "egress-policy": "block"}'
- name: Make HTTP requests
run: |
if ! curl https://www.google.com --output /dev/null; then
echo 'Expected curl to www.google.com to succeed, but it failed';
exit 1;
fi;
if curl https://www.bing.com --max-time 5 --output /dev/null; then
echo 'Expected curl to www.bing.com to fail, but it succeeded';
exit 1;
fi;
release:
runs-on: ubuntu-22.04
permissions:
contents: write
needs: [pre-release, pre-release-validation]
steps:
- name: Enable egress filtering
uses: bullfrogsec/bullfrog@7bc9b6e13e2dd9cbe5861f33bc26dc6bdb9d9ed2 # v0.10.0
with:
egress-policy: block
api-token: ${{ secrets.BULLFROG_API_TOKEN }}
allowed-domains: |
github.com
api.github.com
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Promote to a release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release edit ${{ needs.pre-release.outputs.tag_name }} --prerelease=false --latest
git config user.name github-actions[bot]
git config user.email 41898282+github-actions[bot]@users.noreply.github.com
git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
git tag -d v${{ needs.pre-release.outputs.major }} || true
git tag -d v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true
git push origin :v${{ needs.pre-release.outputs.major }} || true
git push origin :v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} || true
git tag -a v${{ needs.pre-release.outputs.major }} -m "Release v${{ needs.pre-release.outputs.major }}"
git tag -a v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }} -m "Release v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}"
git push origin v${{ needs.pre-release.outputs.major }}
git push origin v${{ needs.pre-release.outputs.major }}.${{ needs.pre-release.outputs.minor }}