11---
22name : build
33
4- on :
4+ on : # yamllint disable-line rule:truthy
55 merge_group :
66 types :
77 - checks_requested
@@ -36,23 +36,34 @@ jobs:
3636 steps :
3737 # Note that a duplicate of this step must be added at the top of
3838 # each job.
39- - uses : GitHubSecurityLab/actions-permissions/monitor@v1
39+ - name : Apply standard cisagov job preamble
40+ uses : cisagov/action-job-preamble@v1
4041 with :
41- # Uses the organization variable unless overridden
42- config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
43- # Note that a duplicate of this step must be added at the top of
44- # each job.
45- - id : harden-runner
46- name : Harden the runner
47- uses : step-security/harden-runner@v2
48- with :
49- egress-policy : audit
50- - id : github-status
51- name : Check GitHub status
52- uses : crazy-max/ghaction-github-status@v4
53- - id : dump-context
54- name : Dump context
55- uses : crazy-max/ghaction-dump-context@v2
42+ check_github_status : " true"
43+ # This functionality is poorly implemented and has been
44+ # causing problems due to the MITM implementation hogging or
45+ # leaking memory. As a result we disable it by default. If
46+ # you want to temporarily enable it, simply set
47+ # monitor_permissions equal to "true".
48+ #
49+ # TODO: Re-enable this functionality when practical. See
50+ # cisagov/skeleton-generic#207 for more details.
51+ monitor_permissions : " false"
52+ output_workflow_context : " true"
53+ # Use a variable to specify the permissions monitoring
54+ # configuration. By default this will yield the
55+ # configuration stored in the cisagov organization-level
56+ # variable, but if you want to use a different configuration
57+ # then simply:
58+ # 1. Create a repository-level variable with the name
59+ # ACTIONS_PERMISSIONS_CONFIG.
60+ # 2. Set this new variable's value to the configuration you
61+ # want to use for this repository.
62+ #
63+ # Note in particular that changing the permissions
64+ # monitoring configuration *does not* require you to modify
65+ # this workflow.
66+ permissions_monitoring_config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
5667 lint :
5768 needs :
5869 - diagnostics
@@ -61,15 +72,32 @@ jobs:
6172 contents : read
6273 runs-on : ubuntu-latest
6374 steps :
64- - uses : GitHubSecurityLab/actions-permissions/monitor@v1
75+ - name : Apply standard cisagov job preamble
76+ uses : cisagov/action-job-preamble@v1
6577 with :
66- # Uses the organization variable unless overridden
67- config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
68- - id : harden-runner
69- name : Harden the runner
70- uses : step-security/harden-runner@v2
71- with :
72- egress-policy : audit
78+ # This functionality is poorly implemented and has been
79+ # causing problems due to the MITM implementation hogging or
80+ # leaking memory. As a result we disable it by default. If
81+ # you want to temporarily enable it, simply set
82+ # monitor_permissions equal to "true".
83+ #
84+ # TODO: Re-enable this functionality when practical. See
85+ # cisagov/skeleton-generic#207 for more details.
86+ monitor_permissions : " false"
87+ # Use a variable to specify the permissions monitoring
88+ # configuration. By default this will yield the
89+ # configuration stored in the cisagov organization-level
90+ # variable, but if you want to use a different configuration
91+ # then simply:
92+ # 1. Create a repository-level variable with the name
93+ # ACTIONS_PERMISSIONS_CONFIG.
94+ # 2. Set this new variable's value to the configuration you
95+ # want to use for this repository.
96+ #
97+ # Note in particular that changing the permissions
98+ # monitoring configuration *does not* require you to modify
99+ # this workflow.
100+ permissions_monitoring_config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
73101 - id : setup-env
74102 uses : cisagov/setup-env-github-action@develop
75103 - uses : actions/checkout@v4
@@ -92,16 +120,16 @@ jobs:
92120 echo "dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
93121uses : actions/cache@v4
94122 env :
95- BASE_CACHE_KEY : " ${{ github.job }}-${{ runner.os }}-\
123+ BASE_CACHE_KEY : ${{ github.job }}-${{ runner.os }}-\
96124 py${{ steps.setup-python.outputs.python-version }}-\
97125 go${{ steps.setup-go.outputs.go-version }}-\
98126 packer${{ steps.setup-env.outputs.packer-version }}-\
99- tf${{ steps.setup-env.outputs.terraform-version }}-"
127+ tf${{ steps.setup-env.outputs.terraform-version }}-
100128 with :
101- key : " ${{ env.BASE_CACHE_KEY }}\
129+ key : ${{ env.BASE_CACHE_KEY }}\
102130 ${{ hashFiles('**/requirements-test.txt') }}-\
103131 ${{ hashFiles('**/requirements.txt') }}-\
104- ${{ hashFiles('**/.pre-commit-config.yaml') }}"
132+ ${{ hashFiles('**/.pre-commit-config.yaml') }}
105133 # Note that the .terraform directory IS NOT included in the
106134 # cache because if we were caching, then we would need to use
107135 # the `-upgrade=true` option. This option blindly pulls down the
@@ -177,6 +205,9 @@ jobs:
177205 permissions :
178206 # actions/checkout needs this to fetch code
179207 contents : read
208+ # This line is long, but if I use a block style indicator then GH
209+ # Actions doesn't parse and execute the expression.
210+ # yamllint disable-line rule:line-length
180211 runs-on : ubuntu-${{ startsWith(matrix.architecture, 'arm') && '24.04-arm' || 'latest' }}
181212 strategy :
182213 fail-fast : false
@@ -200,15 +231,32 @@ jobs:
200231 scenario :
201232 - default
202233 steps :
203- - uses : GitHubSecurityLab/actions-permissions/monitor@v1
204- with :
205- # Uses the organization variable unless overridden
206- config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
207- - id : harden-runner
208- name : Harden the runner
209- uses : step-security/harden-runner@v2
234+ - name : Apply standard cisagov job preamble
235+ uses : cisagov/action-job-preamble@v1
210236 with :
211- egress-policy : audit
237+ # This functionality is poorly implemented and has been
238+ # causing problems due to the MITM implementation hogging or
239+ # leaking memory. As a result we disable it by default. If
240+ # you want to temporarily enable it, simply set
241+ # monitor_permissions equal to "true".
242+ #
243+ # TODO: Re-enable this functionality when practical. See
244+ # cisagov/skeleton-ansible-role#227 for more details.
245+ monitor_permissions : " false"
246+ # Use a variable to specify the permissions monitoring
247+ # configuration. By default this will yield the
248+ # configuration stored in the cisagov organization-level
249+ # variable, but if you want to use a different configuration
250+ # then simply:
251+ # 1. Create a repository-level variable with the name
252+ # ACTIONS_PERMISSIONS_CONFIG.
253+ # 2. Set this new variable's value to the configuration you
254+ # want to use for this repository.
255+ #
256+ # Note in particular that changing the permissions
257+ # monitoring configuration *does not* require you to modify
258+ # this workflow.
259+ permissions_monitoring_config : ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
212260 - id : setup-env
213261 uses : cisagov/setup-env-github-action@develop
214262 - uses : actions/checkout@v4
@@ -218,13 +266,13 @@ jobs:
218266 python-version : ${{ steps.setup-env.outputs.python-version }}
219267 - uses : actions/cache@v4
220268 env :
221- BASE_CACHE_KEY : " ${{ github.job }}-${{ runner.os }}-\
222- py${{ steps.setup-python.outputs.python-version }}-"
269+ BASE_CACHE_KEY : ${{ github.job }}-${{ runner.os }}-\
270+ py${{ steps.setup-python.outputs.python-version }}-
223271 with :
224272 path : ${{ env.PIP_CACHE_DIR }}
225- key : " ${{ env.BASE_CACHE_KEY }}\
273+ key : ${{ env.BASE_CACHE_KEY }}\
226274 ${{ hashFiles('**/requirements-test.txt') }}-\
227- ${{ hashFiles('**/requirements.txt') }}"
275+ ${{ hashFiles('**/requirements.txt') }}
228276 restore-keys : |
229277 ${{ env.BASE_CACHE_KEY }}
230278name : Install dependencies
0 commit comments