diff --git a/.github/workflows/_containerTemplate.yml b/.github/workflows/_containerTemplate.yml index e158993..c5d1c0b 100644 --- a/.github/workflows/_containerTemplate.yml +++ b/.github/workflows/_containerTemplate.yml @@ -41,6 +41,11 @@ jobs: continue-on-error: false environment: ${{ inputs.environment }} + permissions: + contents: read + packages: write + id-token: write + steps: # Check Out Repository - name: Check Out Repository @@ -108,8 +113,7 @@ jobs: id: sign if: ${{ github.event_name != 'pull_request' }} run: | - echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} + cosign sign --yes "${TAGS}@${DIGEST}" env: - # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable TAGS: ${{ steps.metadata.outputs.tags }} DIGEST: ${{ steps.build_push.outputs.digest }} diff --git a/.github/workflows/_functionAppDeployTemplate.yml b/.github/workflows/_functionAppDeployTemplate.yml index deb171b..6c0bd63 100644 --- a/.github/workflows/_functionAppDeployTemplate.yml +++ b/.github/workflows/_functionAppDeployTemplate.yml @@ -63,10 +63,12 @@ jobs: id: function_dependencies shell: bash run: | - pushd '${{ inputs.function_directory }}' + pushd "${FUNCTION_DIRECTORY}" python -m pip install --upgrade pip pip install -r requirements.txt --target=".python_packages/lib/site-packages" popd + env: + FUNCTION_DIRECTORY: ${{ inputs.function_directory }} # Login to Azure - name: Azure Login diff --git a/.github/workflows/_functionAppTestTemplate.yml b/.github/workflows/_functionAppTestTemplate.yml index f90d023..c58e418 100644 --- a/.github/workflows/_functionAppTestTemplate.yml +++ b/.github/workflows/_functionAppTestTemplate.yml @@ -40,6 +40,8 @@ jobs: - name: Run Python Tests id: python_test run: | - pip install -r ${{ inputs.function_directory }}/requirements.txt -q + pip install -r "${FUNCTION_DIRECTORY}/requirements.txt" -q pip install -r requirements.txt -q pytest + env: + FUNCTION_DIRECTORY: ${{ inputs.function_directory }} diff --git a/.github/workflows/_terraformApplyTemplate.yml b/.github/workflows/_terraformApplyTemplate.yml index fc326eb..69e8498 100644 --- a/.github/workflows/_terraformApplyTemplate.yml +++ b/.github/workflows/_terraformApplyTemplate.yml @@ -82,4 +82,7 @@ jobs: - name: Terraform Apply working-directory: ${{ inputs.working_directory }} run: | - terraform apply -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -auto-approve -input=false + terraform apply -var-file="vars.${ENVIRONMENT}.tfvars" -var="my_secret=${MY_SAMPLE_SECRET}" -auto-approve -input=false + env: + ENVIRONMENT: ${{ inputs.environment }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} diff --git a/.github/workflows/_terraformPlanTemplate.yml b/.github/workflows/_terraformPlanTemplate.yml index d009a6d..eaf1c61 100644 --- a/.github/workflows/_terraformPlanTemplate.yml +++ b/.github/workflows/_terraformPlanTemplate.yml @@ -92,7 +92,10 @@ jobs: id: terraform_plan working-directory: ${{ inputs.working_directory }} run: | - terraform plan -var-file vars.${{ inputs.environment }}.tfvars -var='my_secret=${{ secrets.MY_SAMPLE_SECRET }}' -input=false + terraform plan -var-file="vars.${ENVIRONMENT}.tfvars" -var="my_secret=${MY_SAMPLE_SECRET}" -input=false + env: + ENVIRONMENT: ${{ inputs.environment }} + MY_SAMPLE_SECRET: ${{ secrets.MY_SAMPLE_SECRET }} # Add Pull Request Comment - name: Add Pull Request Comment