Skip to content

Commit

Permalink
[StepSecurity] Apply security best practices (#12)
Browse files Browse the repository at this point in the history
Signed-off-by: StepSecurity Bot <[email protected]>
  • Loading branch information
step-security-bot authored Dec 15, 2023
1 parent 8f6dd55 commit 6a724f5
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 14 deletions.
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ jobs:
- labels: [self-hosted, linux, ARM64]
system: aarch64-linux
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@v7
- uses: DeterminateSystems/magic-nix-cache-action@v2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
- uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
if: ${{ matrix.runs-on.system != 'aarch64-linux' }}
#TODO: aarch64-linux build is crashing the runner
- run: nix build .#amazonImage -L --system ${{ matrix.runs-on.system }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@v7
- uses: DeterminateSystems/magic-nix-cache-action@v2
- uses: aws-actions/configure-aws-credentials@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
- uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
- uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: arn:aws:iam::686862074153:role/deploy
aws-region: eu-central-1
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/update-flake-lock.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ jobs:
update-flake-lock:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@v6
- uses: DeterminateSystems/update-flake-lock@v19
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@bc7b19257469c8029b46f45ac99ecc11156c8b2d # v6
- uses: DeterminateSystems/update-flake-lock@dec3bc3c9b11c3b9d547f47dfb579b91a6051603 # v19
8 changes: 4 additions & 4 deletions .github/workflows/upload-ami.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,14 @@ jobs:
- x86_64-linux
- aarch64-linux
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@v7
- uses: DeterminateSystems/magic-nix-cache-action@v2
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: DeterminateSystems/nix-installer-action@5620eb4af6b562c53e4d4628c0b6e4f9d9ae8612 # v7
- uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
- name: Download AMI from Hydra
run: |
out=$(curl --location --silent --header 'Accept: application/json' https://hydra.nixos.org/job/nixos/release-23.11/nixos.amazonImage.${{ matrix.system }}/latest-finished | jq --raw-output '.buildoutputs.out.path')
nix-store --realise $out --add-root ./result
- uses: aws-actions/configure-aws-credentials@v4
- uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: arn:aws:iam::686862074153:role/upload-ami
aws-region: eu-central-1
Expand Down

0 comments on commit 6a724f5

Please sign in to comment.