Merge pull request #136 from redhat-cop/renovate/step-security-harden… #447

Workflow file for this run

.github/workflows/validate.yaml at 408111e

	name: Validate and Release

	on: [push, pull_request]

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	validate:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Run ShellCheck
	uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
	env:
	SHELLCHECK_OPTS: -x
	with:
	ignore_paths: test

	- name: Conftest - tests.sh
	uses: redhat-cop/github-actions/confbatstest@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3
	with:
	tests: test/tests.sh

	- name: Conftest - tests_fail.sh
	uses: redhat-cop/github-actions/confbatstest@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3
	with:
	raw: test/tests_fail.sh > tests_fail.log \|\| exit 0

	- name: Check failed tests
	run: \|
	if [[ $(grep -c "not ok" tests_fail.log) -ne 9 ]]; then
	echo "Expected a fixed number of failed jobs. Failing."
	cat tests_fail.log
	exit 1
	fi

	- name: Tar and Generate hashes
	shell: bash
	id: hash
	run: \|
	tar cvf bats-library.tar load.bash src/

	echo "hashes=$(sha256sum bats-library.tar \| base64 -w0)" >> "$GITHUB_OUTPUT"

	- name: Upload bats-library.tar
	uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4
	with:
	name: bats-library.tar
	path: bats-library.tar
	if-no-files-found: error
	retention-days: 5

	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}

	provenance:
	needs: [validate]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	actions: read
	id-token: write
	contents: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
	with:
	base64-subjects: "${{ needs.validate.outputs.hashes }}"
	upload-assets: true

	release:
	needs: [validate, provenance]
	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	contents: write
	steps:
	- name: Download bats-library.tar
	uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
	with:
	name: bats-library.tar

	- name: Upload assets to release
	uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
	with:
	files: \|
	bats-library.tar

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #136 from redhat-cop/renovate/step-security-harden… #447

Workflow file

Merge pull request #136 from redhat-cop/renovate/step-security-harden… #447

Jobs

Run details

Workflow file for this run