fix: prevent command injection in GHA workflow (#27) #152
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # Trigger the workflow on push or pull request, but only for the master branch | |
| on: | |
| pull_request: | |
| push: | |
| branches: [master] | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| # INFO: The following configuration block ensures that only one build runs per branch, | |
| # which may be desirable for projects with a costly build process. | |
| # Remove this block from the CI workflow to let each CI job run to completion. | |
| concurrency: | |
| group: build-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: GHC ${{ matrix.ghc-version }} on ${{ matrix.os }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest] | |
| ghc-version: ['9.4'] | |
| cabal: ['3.10.2.1'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up GHC ${{ matrix.ghc-version }} | |
| uses: haskell-actions/setup@v2 | |
| id: setup | |
| with: | |
| ghc-version: ${{ matrix.ghc-version }} | |
| # Defaults, added for clarity: | |
| cabal-version: ${{ matrix.cabal }} | |
| cabal-update: true | |
| - name: Configure the build | |
| run: | | |
| cabal configure --enable-tests --enable-benchmarks --disable-documentation | |
| cabal build all --dry-run | |
| # The last step generates dist-newstyle/cache/plan.json for the cache key. | |
| - name: Restore cached dependencies | |
| uses: actions/cache/restore@v3 | |
| id: cache | |
| env: | |
| key: ${{ runner.os }}-ghc-${{ steps.setup.outputs.ghc-version }}-cabal-${{ steps.setup.outputs.cabal-version }} | |
| with: | |
| path: ${{ steps.setup.outputs.cabal-store }} | |
| key: ${{ env.key }}-plan-${{ hashFiles('**/plan.json') }} | |
| restore-keys: ${{ env.key }}- | |
| - name: Install dependencies | |
| # If we had an exact cache hit, the dependencies will be up to date. | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: cabal build all --only-dependencies | |
| # Cache dependencies already here, so that we do not have to rebuild them should the subsequent steps fail. | |
| - name: Save cached dependencies | |
| uses: actions/cache/save@v3 | |
| # If we had an exact cache hit, trying to save the cache would error because of key clash. | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| with: | |
| path: ${{ steps.setup.outputs.cabal-store }} | |
| key: ${{ steps.cache.outputs.cache-primary-key }} | |
| - name: Build | |
| run: cabal build all | |
| - name: Run tests | |
| run: cabal test all | |
| - name: Check cabal file | |
| run: cabal check | |
| publish: | |
| # needs : build | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - uses: actions/checkout@v2 | |
| - name: Set tag output | |
| id: vars | |
| run: echo "tag=${GITHUB_REF#refs/*/v}" >> $GITHUB_OUTPUT | |
| - name: Check tag | |
| run: echo ${TAG} | |
| env: | |
| TAG: ${{ steps.vars.outputs.tag }} | |
| - name: Build Image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: ldap-scim-bridge | |
| tags: ${{ steps.vars.outputs.tag }} | |
| dockerfiles: | | |
| ./Dockerfile | |
| - name: Push To quay.io | |
| id: push-to-quay | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: quay.io/wire | |
| username: wire+ldapscimbridge | |
| password: ${{ secrets.REGISTRY_PASSWORD }} | |
| - name: Print image url | |
| run: echo "Image pushed to ${{ steps.push-to-quay.outputs.registry-paths }}" |