From 741bfcb7f32cc9c061658822501d9060d619681e Mon Sep 17 00:00:00 2001
From: Steffen Scheib <steffen@scheib.me>
Date: Thu, 18 Jul 2024 22:17:25 +0200
Subject: [PATCH] ci: Adding check if secrets exist

---
 .github/workflows/dependency_review.yml      |  1 -
 .github/workflows/molecule_certified_ees.yml |  3 +-
 .github/workflows/release.yml                | 33 ++++++++++++++-
 .github/workflows/renovate.yml               | 43 ++++++++++++++++----
 .github/workflows/scorecard.yml              | 28 +++++++++++++
 5 files changed, 95 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
index ade2bd9e..1e3b0544 100644
--- a/.github/workflows/dependency_review.yml
+++ b/.github/workflows/dependency_review.yml
@@ -4,7 +4,6 @@ on:  # yamllint disable-line rule:truthy
   pull_request:
     branches:
       - 'main'
-  workflow_dispatch: {}
 
 permissions:
   contents: 'read'
diff --git a/.github/workflows/molecule_certified_ees.yml b/.github/workflows/molecule_certified_ees.yml
index ead29e65..2f10b467 100644
--- a/.github/workflows/molecule_certified_ees.yml
+++ b/.github/workflows/molecule_certified_ees.yml
@@ -68,8 +68,7 @@ jobs:
         uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
         with:
           disable-sudo: true
-          egress-policy: 'audit'
-          # allowed-endpoints: >
+          egress-policy: 'block'
 
       - name: 'Check if all required secrets are defined'
         id: 'secret-check'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d09a4fd..8170bf39 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,8 +10,39 @@ permissions:
   contents: 'read'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          (
+            [[ "${{ secrets.RELEASE_TOKEN }}" != '' ]] &&
+            [[ "${{ secrets.GALAXY_API_KEY }}" != '' ]]
+          ) || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   release:
     name: 'Publish to Ansible Galaxy'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'write'
@@ -42,6 +73,6 @@ jobs:
       - name: 'Publish to Ansible Galaxy'
         uses: 'robertdebock/galaxy-action@7d89099e09f4385ec4b53eb58c0d120f1ad806dd' # 1.2.1
         with:
-          galaxy_api_key: '${{ secrets.galaxy_api_key }}'
+          galaxy_api_key: '${{ secrets.GALAXY_API_KEY }}'
           git_branch: 'main'
 ...
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 9e5bc960..80f7f979 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -54,15 +54,40 @@ env:
   cache_key: 'renovate-cache'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          (
+            [[ "${{ secrets.CRC_USERNAME }}" != '' ]] &&
+            [[ "${{ secrets.CRC_PASSWORD }}" != '' ]] &&
+            [[ "${{ secrets.RENOVATE_TOKEN }}" != '' ]]
+          ) || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   validate-config:
-    # run the schedule only on the main repository - manual runs via workflow_dispatch still work
-    if: >-
-      (
-        github.event_name == 'schedule' &&
-        github.repository == 'sscheib/ansible-role-file_deployment'
-      ) || (
-        github.event_name != 'schedule'
-      )
+    name: 'Validate renovate configuration'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       contents: 'read'
@@ -231,7 +256,7 @@ jobs:
           # renovate self-update: datasource=docker depName=renovatebot/renovate registryUrl=https://ghcr.io
           renovate-version: '37.431.4'
           configurationFile: '.github/renovate_global.js'
-          token: '${{ secrets.renovate_token }}'
+          token: '${{ secrets.RENOVATE_TOKEN }}'
         env:
           RENOVATE_REPOSITORY_CACHE: "${{ github.event.inputs.repoCache || 'enabled' }}"
           RENOVATE_REPOSITORIES: '${{ github.repository }}'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 451229b6..a77c6b04 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -17,8 +17,36 @@ on:  # yamllint disable-line rule:truthy
 permissions: 'read-all'
 
 jobs:
+  check-secrets:
+    name: 'Check if required secrets are available'
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+    outputs:
+      secrets-defined: '${{ steps.secret-check.outputs.secrets-defined }}'
+    steps:
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6' # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: 'block'
+
+      - name: 'Check if all required secrets are defined'
+        id: 'secret-check'
+        shell: 'bash'
+        run: |
+          [[ "${{ secrets.SCORECARD_TOKEN }}" != '' ]] || {
+            echo "secrets-defined=false" >> "${GITHUB_OUTPUT}";
+            exit 0;
+          };
+
+          # secrets not empty, so assuming defined
+          echo "secrets-defined=true" >> "${GITHUB_OUTPUT}";
+
   analysis:
     name: 'Scorecard analysis'
+    if: "needs.check-secrets.outputs.secrets-defined == 'true'"
+    needs: 'check-secrets'
     runs-on: 'ubuntu-latest'
     permissions:
       # Needed to upload the results to code-scanning dashboard.