mirror of
https://github.com/bartvdbraak/keyweave.git
synced 2025-04-28 15:21:21 +00:00
153 lines
No EOL
4.8 KiB
YAML
153 lines
No EOL
4.8 KiB
YAML
name: Checks
|
|
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
|
|
env:
|
|
VAULT_NAME: bvdbkeyweavetweukvt{0}
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
jobs:
|
|
build:
|
|
name: Build Keyweave
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: dtolnay/rust-toolchain@stable
|
|
- name: Build project
|
|
run: cargo build --all --release
|
|
- uses: actions/upload-artifact@v3.1.3
|
|
with:
|
|
path: target/release/keyweave
|
|
|
|
bicep:
|
|
name: Deploy Azure resources
|
|
environment: bicep
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
LOCATION: eastus
|
|
DEPLOYMENT_NAME: keyweave-${{ github.run_id }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
- name: Deploy Bicep template
|
|
uses: azure/arm-deploy@v1
|
|
with:
|
|
scope: subscription
|
|
region: ${{ env.LOCATION }}
|
|
template: bicep/main.bicep
|
|
deploymentName: ${{ env.DEPLOYMENT_NAME }}
|
|
|
|
none-test:
|
|
name: Tests without access
|
|
needs: [build, bicep]
|
|
runs-on: ubuntu-latest
|
|
environment: none
|
|
steps:
|
|
- uses: actions/download-artifact@v3.0.2
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
- name: Use Keyweave with No Access Policies
|
|
run: |
|
|
chmod +x ./artifact/keyweave
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
|
|
|
get-test:
|
|
name: Tests with Get access
|
|
needs: [build, bicep]
|
|
runs-on: ubuntu-latest
|
|
environment: get
|
|
steps:
|
|
- uses: actions/download-artifact@v3.0.2
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
- name: Use Keyweave with Only Get Access Policy
|
|
run: |
|
|
chmod +x ./artifact/keyweave
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
|
|
|
list-test:
|
|
name: Tests with List access
|
|
needs: [build, bicep]
|
|
runs-on: ubuntu-latest
|
|
environment: list
|
|
steps:
|
|
- uses: actions/download-artifact@v3.0.2
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
- name: Use Keyweave with Only List Access Policy
|
|
run: |
|
|
chmod +x ./artifact/keyweave
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
|
|
|
get-list-test:
|
|
name: Tests with Get and List access
|
|
needs: [build, bicep]
|
|
runs-on: ubuntu-latest
|
|
environment: getlist
|
|
steps:
|
|
- uses: actions/download-artifact@v3.0.2
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
- name: Use Keyweave with both Get and List Access Policies
|
|
run: |
|
|
chmod +x ./artifact/keyweave
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
|
|
|
- name: Use Keyweave with a filter
|
|
run: |
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --filter "filter"
|
|
|
|
- name: Use Keyweave with a complex file path
|
|
run: |
|
|
mkdir -p "user/projects/project 1/src/lib"
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "user/projects/project 1/src/lib/.env"
|
|
|
|
- name: Use Keyweave with a non-existent Key Vault
|
|
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}1234
|
|
|
|
- name: Use Keyweave with a firewalled Key Vault
|
|
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '2') }}
|
|
|
|
- name: Use Keyweave with a no permissions
|
|
run: |
|
|
mkdir -p "user/projects/project 1/src/lib"
|
|
./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} --output "/.env"
|
|
|
|
- uses: azure/login@v1
|
|
with:
|
|
client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.OTHER_SUBSCRIPTION_ID }}
|
|
- name: Use Keyweave while logged into other Subscription
|
|
run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }}
|
|
|
|
# - uses: azure/login@v1
|
|
# with:
|
|
# client-id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
# tenant-id: ${{ secrets.OTHER_TENANT_ID }}
|
|
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
# - name: Use Keyweave while logged into other Azure Tenant
|
|
# run: ./artifact/keyweave --vault-name ${{ format(env.VAULT_NAME, '1') }} |