mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-06 13:02:55 +00:00
902d361107
### Summary I'm fixing one or more of the following CI/CD misconfigurations to improve security. Please feel free to leave a comment if you think the current permissions for the GITHUB_TOKEN should not be restricted so I can take a note of it as accepted behaviour. - Restrict permissions for GITHUB_TOKEN - Add step-security/harden-runner - Pin Actions to a full length commit SHA ### Security Fixes will fix https://github.com/neondatabase/cloud/issues/26141
38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
# A workflow from
|
|
# https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
|
|
|
|
name: cleanup caches by a branch
|
|
on:
|
|
pull_request:
|
|
types:
|
|
- closed
|
|
|
|
jobs:
|
|
cleanup:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Cleanup
|
|
run: |
|
|
gh extension install actions/gh-actions-cache
|
|
|
|
echo "Fetching list of cache key"
|
|
cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
|
|
|
|
## Setting this to not fail the workflow while deleting cache keys.
|
|
set +e
|
|
echo "Deleting caches..."
|
|
for cacheKey in $cacheKeysForPR
|
|
do
|
|
gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
|
|
done
|
|
echo "Done"
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
REPO: ${{ github.repository }}
|
|
BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
|