[StepSecurity] Apply security best practices #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: RSpec | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| POSTGRES_HOST_AUTH_METHOD: "trust" | |
| POSTGRES_USER: "runner" | |
| POSTGRES_DB: "evemonk_test" | |
| PGHOST: "localhost" | |
| SECRET_KEY_BASE: "df85f70fa713b189c61deba6a51206472643e53894ae9a1dcd7c97ee15a9b79e962c9ada5b12e69ab360648f74b89d1b7d26dd310b485d48d4509a3445113813" | |
| AWS_ACCESS_KEY_ID: "root" | |
| AWS_SECRET_ACCESS_KEY: "password" | |
| MINIO_REGION_NAME: "us-east-1" | |
| MINIO_ENDPOINT: "http://localhost:9000" | |
| BUCKET: "evemonk-test-bucket" | |
| DEVISE_MAILER_SENDER: "robot@evemonk.com" | |
| ACTION_MAILER_FROM: "EveMonk <robot@evemonk.com>" | |
| DEVISE_PEPPER: "e19db51a470b8259e79616ac00450ea1857d819aa860e2e7cff79b3c295d3993867a68c9524587d2b02b6f76efa8dea8aaf09884f186bfab89442eb2530ea829" | |
| CI: "yes" | |
| jobs: | |
| rspec: | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: "postgres:16.4" | |
| env: | |
| POSTGRES_HOST_AUTH_METHOD: "trust" | |
| POSTGRES_USER: "runner" | |
| POSTGRES_DB: "evemonk_test" | |
| ports: | |
| - "5432:5432" | |
| # needed because the postgres container does not provide a healthcheck | |
| options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
| minio: | |
| image: "minio/minio" | |
| env: | |
| MINIO_ROOT_USER: "root" | |
| MINIO_ROOT_PASSWORD: "password" | |
| MINIO_REGION_NAME: "us-east-1" | |
| ports: | |
| - "9000:9000" | |
| - "9001:9001" | |
| options: minio/minio server /data | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| accounts.google.com:443 | |
| content-autofill.googleapis.com:443 | |
| fonts.googleapis.com:443 | |
| fonts.gstatic.com:443 | |
| ga.jspm.io:443 | |
| github.com:443 | |
| googlechromelabs.github.io:443 | |
| imageproxy.evemonk.com:443 | |
| index.rubygems.org:443 | |
| objects.githubusercontent.com:443 | |
| optimizationguide-pa.googleapis.com:443 | |
| plausible.io:443 | |
| *.gvt1.com:443 | |
| redirector.gvt1.com:443 | |
| rubygems.org:443 | |
| s3.amazonaws.com:443 | |
| www.googleapis.com:443 | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Set up Ruby | |
| uses: ruby/setup-ruby@52753b7da854d5c07df37391a986c76ab4615999 # v1.191.0 | |
| with: | |
| rubygems: latest | |
| bundler: latest | |
| bundler-cache: true | |
| - name: Disable skylight dev warning | |
| run: bundle exec skylight disable_dev_warning | |
| - run: cp -f config/evemonk.example.yml config/evemonk.yml | |
| - run: bundle exec bootsnap precompile --gemfile | |
| - run: bin/rails zeitwerk:check | |
| - run: bin/rails db:create | |
| - run: bin/rails db:migrate | |
| - run: bin/rspec | |