build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.0 #1306
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Deployment test | |
on: | |
pull_request_target: | |
types: ['opened', 'reopened', 'synchronize', 'labeled'] | |
workflow_dispatch: | |
inputs: | |
test_filter: | |
type: string | |
default: '' | |
description: Filter for the tests to run | |
required: false | |
terratest_log: | |
type: string | |
default: '' | |
description: Enable Terratest logging | |
required: false | |
permissions: | |
contents: read | |
pull-requests: read | |
id-token: write | |
actions: read | |
checks: read | |
deployments: read | |
concurrency: | |
group: deploytest-${{ github.event.pull_request.head.repo.full_name }}/${{ github.head_ref || github.run_id }} | |
cancel-in-progress: false | |
jobs: | |
deploytest: | |
name: Deployment test | |
environment: CSUTF | |
if: | | |
( | |
( | |
contains(github.event.pull_request.labels.*.name, 'PR: Safe to test :test_tube:') | |
) | |
|| | |
( | |
github.event_name == 'workflow_dispatch' | |
) | |
) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
azapi_version: ['latest'] | |
azurerm_version: ['latest'] | |
terraform_version: ['latest'] | |
steps: | |
- name: Show env | |
run: env | sort | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
persist-credentials: false | |
- name: Setup Terraform | |
uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{ matrix.terraform_version }} | |
terraform_wrapper: false | |
- name: Setup go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.20.x' | |
cache-dependency-path: tests/go.sum | |
- name: Azure login | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
allow-no-subscriptions: true | |
# This is a terrible hack but this is due to the fact that AZURE_TENANT_ID is required, | |
# it allows MSI to be tried for authentication. As GitHub actions runners are in Azure, this fails. | |
# This only works on Linux based runners | |
- name: iptables block MSI endpoint | |
run: sudo iptables -I OUTPUT --destination 169.254.169.254 -j REJECT | |
- name: Set GOMAXPROCS to 2 * number of cores | |
run: | | |
CORES="$(grep -Pc '^processor\t' /proc/cpuinfo)" | |
((DOUBLE=CORES*2)) | |
echo "Setting GOMAXPROCS to $DOUBLE" | |
echo "GOMAXPROCS=$DOUBLE" >> "$GITHUB_ENV" | |
- name: Go test | |
run: make TESTARGS='-v' TESTFILTER='${{ github.event.inputs.test_filter }}' testdeploy | |
env: | |
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
ARM_USE_OIDC: true | |
AZURE_BILLING_SCOPE: ${{ secrets.AZURE_BILLING_SCOPE }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZAPI_VERSION: ${{ matrix.azapi_version }} | |
AZURERM_VERSION: ${{ matrix.azurerm_version }} | |
TERRATEST_LOG: ${{ github.event.inputs.terratest_log }} | |
# This only works on Linux based runners | |
- name: Azure logout | |
uses: azure/CLI@v2 | |
if: always() | |
with: | |
inlineScript: | | |
az logout | |
az cache purge | |
az account clear |