Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions .github/workflows/temp-aws-push-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: TEMPORARY AWS Push Test

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 Bot Jul 23, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents: read and packages: read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation


on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
paths:
- "user-management/**"
- ".github/**"
workflow_dispatch:

env:
REGISTRY: ghcr.io
IMAGE_NAME_USER_SERVICE: ${{ github.repository_owner }}/stickerlandia/user-management-service
REPOSITORY_URL: github.com/${{ github.repository }}
ECR_REPOSITORY_URL: 772954894450.dkr.ecr.eu-west-1.amazonaws.com/stickerlandia-user-management

jobs:
push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get Commit Info
id: get_sha
run: |
echo "COMMIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_ENV

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: "us-east-1"
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_USER_SERVICE }}
tags: |
latest
${{ env.COMMIT_SHA }}

- name: Build and push Docker image to Amazon ECR
id: push-ecr
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: ./user-management
file: ./user-management/src/Stickerlandia.UserManagement.Api/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
GIT_COMMIT_SHA=${{ env.COMMIT_SHA }}
GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }}
DD_GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }}
DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }}
28 changes: 27 additions & 1 deletion .github/workflows/user-management.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ env:
REGISTRY: ghcr.io
IMAGE_NAME_USER_SERVICE: ${{ github.repository_owner }}/stickerlandia/user-management-service
REPOSITORY_URL: github.com/${{ github.repository }}
ECR_REPOSITORY_URL: 772954894450.dkr.ecr.eu-west-1.amazonaws.com/stickerlandia-user-management

jobs:
unit-test:
Expand Down Expand Up @@ -139,6 +140,15 @@ jobs:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: "us-east-1"
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2

@datadog-datadog-prod-us1 datadog-datadog-prod-us1 Bot Jul 23, 2025

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation


- name: Extract metadata (tags, labels) for Docker
id: meta
Expand All @@ -149,7 +159,7 @@ jobs:
latest
${{ env.COMMIT_SHA }}

- name: Build and push Docker image
- name: Build and push Docker image to Github Container Registry
id: push
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
Expand All @@ -164,3 +174,19 @@ jobs:
GIT_REPOSITORY_URL=${{ env.REPOSITORY_URL }}
DD_GIT_REPOSITORY_URL=${{ env.REPOSITORY_URL }}
DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }}

- name: Build and push Docker image to Amazon ECR
id: push-ecr
uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
with:
context: ./user-management
file: ./user-management/src/Stickerlandia.UserManagement.Api/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
GIT_COMMIT_SHA=${{ env.COMMIT_SHA }}
GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }}
DD_GIT_REPOSITORY_URL=${{ env.ECR_REPOSITORY_URL }}
DD_GIT_COMMIT_SHA=${{ env.COMMIT_SHA }}
Loading