feat: emit audit config condition events #3029
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run Test (forks & dependabot) | |
| # SECURITY: This workflow uses pull_request_target, which runs with write-scoped | |
| # GITHUB_TOKEN and access to repository secrets even for fork PRs. | |
| # The "ok to test" label gate is the primary security control. | |
| # Maintainers MUST review fork PR code before applying the label. | |
| # Downstream workflows (unit-tests, security-tests, integration-tests) checkout | |
| # and execute PR head code with access to secrets. | |
| # DO NOT: | |
| # - Remove or weaken the label check | |
| # - Add checkout of PR head code in this file | |
| # - Pass secrets to new downstream workflows without security review | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened, labeled] | |
| # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token | |
| permissions: | |
| contents: read | |
| issues: read # needed for the "labeled" event? | |
| pull-requests: read # needed for the "labeled" event? | |
| jobs: | |
| check-label: | |
| name: Check label | |
| runs-on: ubuntu-latest | |
| # sender.login is needed for runs re-triggered from GitHub UI | |
| if: | | |
| (github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'ok to test')) | |
| || (github.event.pull_request.head.repo.fork && contains(github.event.pull_request.labels.*.name, 'ok to test')) | |
| permissions: | |
| issues: write | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: remove labels | |
| run: | | |
| gh pr edit ${{ github.event.pull_request.number }} --remove-label "ok to test" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| event_file: | |
| needs: [check-label] | |
| name: "Store event file" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Upload | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: Event File | |
| path: ${{ github.event_path }} | |
| unit-tests: | |
| needs: [check-label] | |
| if: needs.check-label.result == 'success' | |
| uses: ./.github/workflows/unit-tests.yaml | |
| name: Unit tests | |
| security-tests: | |
| name: Security tests | |
| needs: [unit-tests] | |
| if: needs.unit-tests.result == 'success' | |
| uses: ./.github/workflows/security-tests.yaml | |
| secrets: | |
| MONDOO_CLIENT: ${{ secrets.MONDOO_CLIENT }} | |
| integration-tests: | |
| name: Integration tests | |
| needs: [unit-tests] | |
| if: needs.unit-tests.result == 'success' | |
| uses: ./.github/workflows/integration-tests.yaml | |
| with: | |
| cnspecImageTag: "" | |
| secrets: | |
| MONDOO_CLIENT: ${{ secrets.MONDOO_CLIENT }} | |
| MONDOO_CLIENT_EDGE: ${{ secrets.MONDOO_CLIENT_EDGE }} | |
| MONDOO_TEST_ORG_TOKEN: ${{ secrets.MONDOO_TEST_ORG_TOKEN }} | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} |