Bump step-security/harden-runner from 2.8.1 to 2.10.1 #155
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Docs: https://docs.github.com/en/actions | |
| name: CI/CD | |
| on: | |
| push: | |
| branches: ["master"] | |
| pull_request: | |
| branches: ["master"] | |
| env: | |
| DOCKER_REGISTRY: ghcr.io | |
| DOCKER_IMAGE_NAME: php-nginx | |
| DOCKER_IMAGE_REPO: ghcr.io/${{ github.repository_owner }}/php-nginx | |
| jobs: | |
| docker: | |
| name: Build Docker images | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Harden CI | |
| uses: step-security/[email protected] | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| actions-results-receiver-production.githubapp.com:443 | |
| auth.docker.io:443 | |
| dl-cdn.alpinelinux.org:443 | |
| github.com:443 | |
| pecl.php.net:443 | |
| production.cloudflare.docker.com:443 | |
| productionresultssa4.blob.core.windows.net:443 | |
| registry-1.docker.io:443 | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Build Docker images | |
| run: ./bin/build; | |
| - name: Save Docker images | |
| run: docker image save $(docker images --format "{{.Repository}}:{{.Tag}}" "${{ env.DOCKER_IMAGE_REPO }}") | gzip -9 > docker_images.tgz | |
| - name: Upload Docker image artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker | |
| path: docker_images.tgz | |
| test-docker: | |
| name: Test Docker images | |
| needs: [docker] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Harden CI | |
| uses: step-security/[email protected] | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker | |
| - name: Load Docker images | |
| run: gzip --uncompress --stdout docker_images.tgz | docker image load | |
| - name: Test Docker images | |
| run: ./bin/test; | |
| push-docker-repo: | |
| name: Push images to repository | |
| needs: [test-docker] | |
| if: github.ref == 'refs/heads/master' | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Harden CI | |
| uses: step-security/[email protected] | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| # Need source code to push README file contents to Docker Hub | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker | |
| - name: Load Docker images | |
| run: gzip --uncompress --stdout docker_images.tgz | docker image load | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.DOCKER_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push images | |
| run: | | |
| for image_name in $(docker images --format "{{.Repository}}:{{.Tag}}" "${{ env.DOCKER_IMAGE_REPO }}"); do | |
| echo "Pushing ${image_name}"; | |
| docker push "${image_name}"; | |
| done; | |
| - name: Purge untagged images | |
| uses: actions/delete-package-versions@v5 | |
| with: | |
| package-name: ${{ env.DOCKER_IMAGE_NAME }} | |
| package-type: "container" | |
| min-versions-to-keep: 9 | |
| delete-only-untagged-versions: true |