Merge pull request #238 from Hack23/dependabot/github_actions/github/… #222
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Verify and Deploy | |
| on: | |
| push: | |
| branches: | |
| - master | |
| permissions: write-all | |
| env: | |
| AWS_REGION : "us-east-1" | |
| AWS_REGION_ZONE : "us-east-1" | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06.s3.us-east-1.amazonaws.com:443 | |
| api.github.com:443 | |
| auth.docker.io:443 | |
| safebrowsingohttpgateway.googleapis.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| www.google.com:443 | |
| cfu.zaproxy.org:443 | |
| content-signature-2.cdn.mozilla.net:443 | |
| deb.debian.org:80 | |
| firefox.settings.services.mozilla.com:443 | |
| github.com:443 | |
| hack23.com:443 | |
| ghcr.io:443 | |
| hack23.com:80 | |
| location.services.mozilla.com:443 | |
| news.zaproxy.org:443 | |
| objects.githubusercontent.com:443 | |
| production.cloudflare.docker.com:443 | |
| raw.githubusercontent.com:443 | |
| registry-1.docker.io:443 | |
| registry.npmjs.org:443 | |
| shavar.services.mozilla.com:443 | |
| storage.googleapis.com:443 | |
| sts.us-east-1.amazonaws.com:443 | |
| tel.zaproxy.org:443 | |
| tracking-protection.cdn.mozilla.net:443 | |
| us-central1-lighthouse-infrastructure.cloudfunctions.net:443 | |
| accounts.google.com:443 | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: arn:aws:iam::172017021075:role/GithubWorkFlowRole | |
| role-session-name: githubworkflowrolesessiont2 | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Minify Action | |
| uses: dra1ex/minify-action@3c54a82e092a78c827659385d1be715126f13410 # v1.0.3 | |
| - name: Deploy to S3 | |
| run: | | |
| aws s3 sync . s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/ --exclude ".git/*" | |
| - name: Set cache headers S3 | |
| run: | | |
| aws s3 cp s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/styles.css s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/styles.css --metadata-directive REPLACE --cache-control max-age=31536000 --content-type "text/css" | |
| aws s3 cp s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/jamespethersorling.webp s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/jamespethersorling.webp --metadata-directive REPLACE --cache-control max-age=31536000 --content-type "image/webp" | |
| aws s3 cp s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/jamespethersorling.webp s3://amazon-cloudfront-secure-static-site-s3bucketroot-14oliw5cmta06/jamespethersorling150.webp --metadata-directive REPLACE --cache-control max-age=31536000 --content-type "image/webp" | |
| - name: Audit URLs using Lighthouse | |
| uses: treosh/lighthouse-ci-action@2f8dda6cf4de7d73b29853c3f29e73a01e297bd8 # v9 | |
| with: | |
| urls: | | |
| https://hack23.com/ | |
| budgetPath: ./budget.json # test performance budgets | |
| uploadArtifacts: true # save results as an action artifacts | |
| temporaryPublicStorage: true # upload lighthouse report to the temporary storage | |
| - name: ZAP Scan | |
| uses: zaproxy/action-full-scan@0f8503472afc3d03963d42a593629622d1a8c13b # v0.11.0 | |
| with: | |
| token: ${{ github.token }} | |
| docker_name: "ghcr.io/zaproxy/zaproxy:stable" | |
| target: 'https://hack23.com/' |