-
Notifications
You must be signed in to change notification settings - Fork 724
created terraform #13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 2 commits
21faabf
6613eff
bbb97aa
c7e7d12
438bcc9
d782154
4425041
74d0365
6b4c582
6b62387
169b100
43a2dc6
0b7cd18
135d33d
eef392f
918f30d
5af7b19
ea1538a
faaa4dd
75573fc
f71a036
5fce991
3f19b5b
a8d254b
59d4e1b
4424b28
8c7103e
d2f8b75
71f6604
2fcf285
472dd2c
fdd9a5d
854381c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,91 @@ | ||||||||||||||
| name: Go Code Quality | ||||||||||||||
|
|
||||||||||||||
| on: | ||||||||||||||
| workflow_call: | ||||||||||||||
|
|
||||||||||||||
| jobs: | ||||||||||||||
| code-quality: | ||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||
|
|
||||||||||||||
| strategy: | ||||||||||||||
| fail-fast: false | ||||||||||||||
|
|
||||||||||||||
| matrix: | ||||||||||||||
| go-version: ["1.21", "1.22", "1.23"] | ||||||||||||||
|
|
||||||||||||||
| steps: | ||||||||||||||
| # ============================== | ||||||||||||||
| # Checkout Repository | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Checkout Code | ||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||
|
|
||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Verify checkout steps explicitly disable credential persistence
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows
rg -n 'persist-credentials:\s*false' .github/workflowsRepository: LondheShubham153/github-actions-kubernetes-masterclass Length of output: 945 🏁 Script executed: cat -n .github/workflows/code-quality-check.yml | sed -n '15,30p'Repository: LondheShubham153/github-actions-kubernetes-masterclass Length of output: 596 🏁 Script executed: cat -n .github/workflows/cd-k8s.yml | sed -n '14,22p'Repository: LondheShubham153/github-actions-kubernetes-masterclass Length of output: 391 🌐 Web query:
💡 Result: Best-practice answer (security): set persist-credentials: false on actions/checkout unless you specifically need later steps to run authenticated git commands using the checkout token. Why: actions/checkout can persist the auth token in the local git config so scripts can run authenticated git commands, and the token is removed during post-job cleanup; opting out via persist-credentials: false prevents that persistence. [1][2] Recommended pattern - Always harden checkout steps: - uses: actions/checkout@v4 (or newer) - with: persist-credentials: false This ensures the token is not persisted to the repository’s git configuration for subsequent steps. [1][2] When you might keep it enabled - Only when you truly need later steps to run authenticated git operations without manually reconfiguring credentials (for example, actions that assume the persisted credentials are available after checkout). [1][3] Additional defense-in-depth (separate from persist-credentials) - Constrain GITHUB_TOKEN permissions (e.g., use a permissions block / least privilege) so that even if credentials were exposed, the blast radius is reduced. [4] Concrete example - name: Checkout uses: actions/checkout@v4 with: persist-credentials: false This is the explicit remediation repeatedly called out by the checkout action maintainers’ guidance and security discussions. [2][5] Citations:
Add The Suggested patch - name: Checkout Code
uses: actions/checkout@v4
+ with:
+ persist-credentials: false📝 Committable suggestion
Suggested change
🧰 Tools🪛 zizmor (1.25.2)[warning] 21-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||||||||||||||
| # ============================== | ||||||||||||||
| # Setup Go Environment | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Setup Go ${{ matrix.go-version }} | ||||||||||||||
| uses: actions/setup-go@v5 | ||||||||||||||
| with: | ||||||||||||||
| go-version: ${{ matrix.go-version }} | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Verify Go Installation | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Verify Go Version | ||||||||||||||
| run: go version | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Verify go.mod Exists | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Check go.mod | ||||||||||||||
| run: | | ||||||||||||||
| if [ ! -f go.mod ]; then | ||||||||||||||
| echo "go.mod file not found!" | ||||||||||||||
| exit 1 | ||||||||||||||
| fi | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Install Dependencies | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Install Dependencies | ||||||||||||||
| run: | | ||||||||||||||
| go mod tidy | ||||||||||||||
| go mod download | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Format Check | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Run gofmt | ||||||||||||||
| run: | | ||||||||||||||
| test -z "$(gofmt -l .)" | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Static Analysis | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Run go vet | ||||||||||||||
| run: | | ||||||||||||||
| go vet ./... | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # GolangCI Lint | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Run golangci-lint | ||||||||||||||
| uses: golangci/golangci-lint-action@v6 | ||||||||||||||
| with: | ||||||||||||||
| version: latest | ||||||||||||||
|
|
||||||||||||||
| # ============================== | ||||||||||||||
| # Run Unit Tests | ||||||||||||||
| # ============================== | ||||||||||||||
|
|
||||||||||||||
| - name: Run Tests | ||||||||||||||
| run: | | ||||||||||||||
| go test ./... -v | ||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| output "instance_public_ip" { | ||
| value = aws_instance.my_ec2.public_ip | ||
| } | ||
|
|
||
| output "instance_id" { | ||
| value = aws_instance.my_ec2.id | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: LondheShubham153/github-actions-kubernetes-masterclass
Length of output: 495
Pin all GitHub Actions to commit SHAs.
Lines 22, 29, and 81 use tag refs (
@v4,@v5,@v6) instead of immutable commit SHAs. This is a supply-chain hardening gap and will fail strict pinning policies.Suggested patch
🧰 Tools
🪛 zizmor (1.25.2)
[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents