Skip to content

Commit

Permalink
Merge pull request #118 from cyber-dojo/minimize-scope-of-snyk-token
Browse files Browse the repository at this point in the history 
Minimize scope of snyk token in workflow
  • Loading branch information
@JonJagger
JonJagger authored Jan 22, 2025
2 parents 1825c1a + fbbf22b commit 3f26e8a
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions .github/workflows/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ env:
KOSLI_ORG: ${{ vars.KOSLI_ORG }} # cyber-dojo
KOSLI_FLOW: ${{ vars.KOSLI_FLOW }} # saver-ci
KOSLI_TRAIL: ${{ inputs.KOSLI_TRAIL }}
SERVICE_NAME: ${{ github.event.repository.name }} # saver

AWS_ACCOUNT_ID: ${{ vars.AWS_ACCOUNT_ID }}
AWS_ECR_ID: ${{ vars.AWS_ECR_ID }}
AWS_REGION: ${{ vars.AWS_REGION }}
DOCKER_API_VERSION: ${{ vars.DOCKER_API_VERSION }}
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SERVICE_NAME: ${{ github.event.repository.name }} # saver
IMAGE_TAR_FILENAME: /tmp/${{ github.event.repository.name }}:${{ github.sha }}.tar
DOCKER_API_VERSION: ${{ vars.DOCKER_API_VERSION }}

jobs:

Expand Down Expand Up @@ -119,6 +119,8 @@ jobs:
uses: snyk/actions/setup@master

- name: Run Snyk code scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run:
snyk code test
--policy-path=.snyk
Expand Down Expand Up @@ -185,7 +187,7 @@ jobs:
DIGEST=$(echo ${{ steps.docker_build.outputs.digest }} | sed 's/.*://')
echo "digest=${DIGEST}" >> ${GITHUB_OUTPUT}
- name: Tar Docker image
- name: Save Docker image
run:
docker image save "${IMAGE_NAME}" --output "${IMAGE_TAR_FILENAME}"

Expand Down Expand Up @@ -345,6 +347,8 @@ jobs:
uses: snyk/actions/setup@master

- name: Run Snyk container scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run:
snyk container test "${IMAGE_NAME}"
--file=Dockerfile
Expand Down Expand Up @@ -465,6 +469,7 @@ jobs:
needs: [setup, deploy-to-prod]
env:
IMAGE_NAME: ${{ needs.setup.outputs.image_name }}
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
steps:
- name: Retrieve Docker image from cache
uses: actions/cache@v4
Expand All @@ -482,8 +487,6 @@ jobs:
password: ${{ secrets.DOCKER_PASS }}

- name: Tag images and push to Dockerhub
env:
IMAGE_TAG: ${{ needs.setup.outputs.image_tag }}
run: |
TAGGED="cyberdojo/${SERVICE_NAME}:${IMAGE_TAG}"
docker tag "${IMAGE_NAME}" "${TAGGED}"
Expand Down

0 comments on commit 3f26e8a

Please sign in to comment.