Skip to content

feat: emit audit config condition events #3029

feat: emit audit config condition events

feat: emit audit config condition events #3029

Workflow file for this run

name: Run Test (forks & dependabot)
# SECURITY: This workflow uses pull_request_target, which runs with write-scoped
# GITHUB_TOKEN and access to repository secrets even for fork PRs.
# The "ok to test" label gate is the primary security control.
# Maintainers MUST review fork PR code before applying the label.
# Downstream workflows (unit-tests, security-tests, integration-tests) checkout
# and execute PR head code with access to secrets.
# DO NOT:
# - Remove or weaken the label check
# - Add checkout of PR head code in this file
# - Pass secrets to new downstream workflows without security review
on:
pull_request_target:
types: [opened, synchronize, reopened, labeled]
# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
permissions:
contents: read
issues: read # needed for the "labeled" event?
pull-requests: read # needed for the "labeled" event?
jobs:
check-label:
name: Check label
runs-on: ubuntu-latest
# sender.login is needed for runs re-triggered from GitHub UI
if: |
(github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'ok to test'))
|| (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'ok to test'))
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: remove labels
run: |
gh pr edit ${{ github.event.pull_request.number }} --remove-label "ok to test"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
event_file:
needs: [check-label]
name: "Store event file"
runs-on: ubuntu-latest
steps:
- name: Upload
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: Event File
path: ${{ github.event_path }}
unit-tests:
needs: [check-label]
if: needs.check-label.result == 'success'
uses: ./.github/workflows/unit-tests.yaml
name: Unit tests
security-tests:
name: Security tests
needs: [unit-tests]
if: needs.unit-tests.result == 'success'
uses: ./.github/workflows/security-tests.yaml
secrets:
MONDOO_CLIENT: ${{ secrets.MONDOO_CLIENT }}
integration-tests:
name: Integration tests
needs: [unit-tests]
if: needs.unit-tests.result == 'success'
uses: ./.github/workflows/integration-tests.yaml
with:
cnspecImageTag: ""
secrets:
MONDOO_CLIENT: ${{ secrets.MONDOO_CLIENT }}
MONDOO_CLIENT_EDGE: ${{ secrets.MONDOO_CLIENT_EDGE }}
MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }}
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}