Skip to content

Add optional variable 'github_ref', to allow actions only from specif… #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 2, 2022
Merged

Add optional variable 'github_ref', to allow actions only from specif… #9

merged 1 commit into from
May 2, 2022

Conversation

@nick-doyle-slalom
Copy link

@nick-doyle-slalom nick-doyle-slalom commented Apr 19, 2022

…ic branches

Specifying this will make the AssumeRole StringLike's condition require
a specific ref e.g. 'repo:myorg/myrepo:ref:refs/heads/prod'

Not setting this will default to "all refs" ('repo:myorg/myrepo:*') per
existing behaviour

More details
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider

@rdkls
Add optional variable 'github_ref', to allow actions only from specif…
39ec461 
…ic branches

Specifying this will make the AssumeRole StringLike's condition require 
a specific ref e.g. 'repo:myorg/myrepo:ref:refs/heads/prod'

Not setting this will default to "all refs" ('repo:myorg/myrepo:*') per 
existing behaviour 

More details 
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider
@unfunco
Copy link
Owner

unfunco commented Apr 19, 2022

Hello, thank you for this, it's something I've been wanting to add for a while. The issue with this implementation is that it would apply to all repositories specified in github_repositories. I think it might be better to expand the regex in the github_repositories condition to allow an optional ref to be specified, and then in data.tf when it's looping through the repositories, check for a : to determine whether to use the ref or an * – what do you think?

@unfunco unfunco added the feature 💡 A new feature. label Apr 19, 2022
@unfunco unfunco merged commit 4cadd3d into unfunco:main May 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature 💡 A new feature.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nick-doyle-slalom @unfunco @rdkls