ci: Adding check if secrets exist

sscheib · Jul 18, 2024 · 741bfcb · 741bfcb
1 parent 5c3048e
commit 741bfcb
Show file tree

Hide file tree

Showing 5 changed files with 95 additions and 13 deletions.
diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
@@ -4,7 +4,6 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
     branches:
       - 'main'
-  workflow_dispatch: {}
 
 permissions:
   contents: 'read'

diff --git a/.github/workflows/molecule_certified_ees.yml b/.github/workflows/molecule_certified_ees.yml
@@ -68,8 +68,7 @@ jobs:
         uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
         with:
           disable-sudo: true
-          egress-policy: 'audit'
-          # allowed-endpoints: >
+          egress-policy: 'block'
 
       - name: 'Check if all required secrets are defined'
         id: 'secret-check'

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,8 +10,39 @@ permissions:
   contents: 'read'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          (
+            [[ "${{ secrets.RELEASE_TOKEN }}" != '' ]] &&
+            [[ "${{ secrets.GALAXY_API_KEY }}" != '' ]]
+          ) || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   release:
     name: 'Publish to Ansible Galaxy'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'write'
@@ -42,6 +73,6 @@ jobs:
       - name: 'Publish to Ansible Galaxy'
         uses: 'robertdebock/galaxy-action@7d89099e09f4385ec4b53eb58c0d120f1ad806dd' # 1.2.1
         with:
-          galaxy_api_key: '${{ secrets.galaxy_api_key }}'
+          galaxy_api_key: '${{ secrets.GALAXY_API_KEY }}'
           git_branch: 'main'
 ...
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -54,15 +54,40 @@ env:
   cache_key: 'renovate-cache'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          (
+            [[ "${{ secrets.CRC_USERNAME }}" != '' ]] &&
+            [[ "${{ secrets.CRC_PASSWORD }}" != '' ]] &&
+            [[ "${{ secrets.RENOVATE_TOKEN }}" != '' ]]
+          ) || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   validate-config:
-    # run the schedule only on the main repository - manual runs via workflow_dispatch still work
-    if: >-
-      (
-        github.event_name == 'schedule' &&
-        github.repository == 'sscheib/ansible-role-file_deployment'
-      ) || (
-        github.event_name != 'schedule'
-      )
+    name: 'Validate renovate configuration'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'read'
@@ -231,7 +256,7 @@ jobs:
           # renovate self-update: datasource=docker depName=renovatebot/renovate registryUrl=https://ghcr.io
           renovate-version: '37.431.4'
           configurationFile: '.github/renovate_global.js'
-          token: '${{ secrets.renovate_token }}'
+          token: '${{ secrets.RENOVATE_TOKEN }}'
         env:
           RENOVATE_REPOSITORY_CACHE: "${{ github.event.inputs.repoCache || 'enabled' }}"
           RENOVATE_REPOSITORIES: '${{ github.repository }}'

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -17,8 +17,36 @@ on:  # yamllint disable-line rule:truthy
 permissions: 'read-all'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          [[ "${{ secrets.SCORECARD_TOKEN }}" != '' ]] || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   analysis:
     name: 'Scorecard analysis'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       # Needed to upload the results to code-scanning dashboard.