Skip to content

Update github/codeql-action action to v3.26.2 #533

Update github/codeql-action action to v3.26.2

Update github/codeql-action action to v3.26.2 #533

name: Run conftest-unittests.sh
on: [push, pull_request]
# Declare default permissions as read only.
permissions: read-all
jobs:
conftest:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Conftest
uses: redhat-cop/github-actions/confbatstest@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3
with:
tests: _test/conftest-unittests.sh
policies: '[]' # An empty array is provided as the policies are already cloned via source.
- name: Tar and Generate hashes
shell: bash
id: hash
run: |
tar cvf policy.tar policy/
echo "hashes=$(sha256sum policy.tar | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload policy.tar
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4
with:
name: policy.tar
path: policy.tar
if-no-files-found: error
retention-days: 5
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
provenance:
needs: [conftest]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
base64-subjects: "${{ needs.conftest.outputs.hashes }}"
upload-assets: true
release:
needs: [conftest, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download policy.tar
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: policy.tar
- name: Upload assets to release
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
files: |
policy.tar