作业作为变量并在此作业中使用变量 | github 动作 & yaml
Job as a variable and use variable inside this job | github action & yaml
我目前正在为我的集群部署安全工具。它运行良好,但我想减少代码的长度并避免在文件中重复代码。
情况如下:
on:
pull_request:
path:
- 'ionos/terraform/dev/*.tf'
- 'ionos/terraform/prod/*/*/*.tf'
jobs:
# JOB to run change detection
changes:
runs-on: ubuntu-latest
# Set job outputs to values from filter step
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
steps:
# For pull requests it's not necessary to checkout the code
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/*/*/*.tf'
重复部分
Ionos_prod:
name: tfsec sarif report ionos_prod
needs: changes
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ionos/terraform/prod/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
Ionos_dev:
name: tfsec sarif report ionos_dev
needs: changes
if: ${{ needs.changes.outputs.Ionos_dev == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ionos/terraform/dev/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
我有超过 2 个重复的工作,这就是为什么我想将工作作为变量。
我的问题是我不知道如何将作业创建为变量并将这两个变量传递到刚刚创建的作业中:
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
&
working_directory: ionos/terraform/prod/
有什么建议吗?
经过几天的研究,并基于该文档(我之前没有找到它):
https://docs.github.com/pt/actions/using-jobs/using-a-matrix-for-your-jobs
终于解决了我的问题
这是代码和最后的一些解释。
on:
pull_request:
types: [synchronize, reopened, labeled]
paths:
- 'aws/dns/domains/**'
- 'ionos/terraform/prod/**'
- 'ionos/terraform/dev/**'
- 'azure/terraform/**'
jobs:
changes:
runs-on: ubuntu-latest
#Outputs gives a bool variable. If a file in the path has been change -- true
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
aws: ${{ steps.filter.outputs.aws }}
azure: ${{ steps.filter.outputs.azure }}
steps:
#Use of an action which check if a file in a path has been change.
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/**/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/**/*.tf'
aws:
- 'aws/dns/domains/**/*.tf'
azure:
- 'azure/terraform/prod/**/*.tf'
tfsec_scan_matrix:
name: tfsec_sarif_report_all_directory
runs-on: ubuntu-latest
#Here we point the job changes, required for this job
needs: changes
#We create a matrix to store the output of each repo (true or false)
#Each filter link with its directory (the directory is use to indicate the scan which directory it has to scan)
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
它有什么作用?
如果 tf 文件在特定路径的 pull-request 上发生了变化,那么它会在这个特定路径上 运行 进行 tfsec 扫描。
解决我的问题:
我在作业中实现了一个矩阵:
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
EXTRA:在我的例子中,“include”参数是将输出分配给它的特定路径。
但是,如果我想结合所有的可能性,我会这样做:
strategy:
matrix:
filter: [Ionos_dev, Ionos_prod, aws, azure]
working_directory: [Ionos_dev, ionos/terraform/prod/, aws/dns/domains/, azure/terraform/prod/]
在这种情况下,它将 运行 所有 9 种可能性。
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
这部分我还在努力中。我尝试通过简化为只有一个 'if'
来改进它
我目前正在为我的集群部署安全工具。它运行良好,但我想减少代码的长度并避免在文件中重复代码。
情况如下:
on:
pull_request:
path:
- 'ionos/terraform/dev/*.tf'
- 'ionos/terraform/prod/*/*/*.tf'
jobs:
# JOB to run change detection
changes:
runs-on: ubuntu-latest
# Set job outputs to values from filter step
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
steps:
# For pull requests it's not necessary to checkout the code
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/*/*/*.tf'
重复部分
Ionos_prod:
name: tfsec sarif report ionos_prod
needs: changes
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ionos/terraform/prod/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
Ionos_dev:
name: tfsec sarif report ionos_dev
needs: changes
if: ${{ needs.changes.outputs.Ionos_dev == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ionos/terraform/dev/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
我有超过 2 个重复的工作,这就是为什么我想将工作作为变量。
我的问题是我不知道如何将作业创建为变量并将这两个变量传递到刚刚创建的作业中:
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
&
working_directory: ionos/terraform/prod/
有什么建议吗?
经过几天的研究,并基于该文档(我之前没有找到它): https://docs.github.com/pt/actions/using-jobs/using-a-matrix-for-your-jobs
终于解决了我的问题
这是代码和最后的一些解释。
on:
pull_request:
types: [synchronize, reopened, labeled]
paths:
- 'aws/dns/domains/**'
- 'ionos/terraform/prod/**'
- 'ionos/terraform/dev/**'
- 'azure/terraform/**'
jobs:
changes:
runs-on: ubuntu-latest
#Outputs gives a bool variable. If a file in the path has been change -- true
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
aws: ${{ steps.filter.outputs.aws }}
azure: ${{ steps.filter.outputs.azure }}
steps:
#Use of an action which check if a file in a path has been change.
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/**/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/**/*.tf'
aws:
- 'aws/dns/domains/**/*.tf'
azure:
- 'azure/terraform/prod/**/*.tf'
tfsec_scan_matrix:
name: tfsec_sarif_report_all_directory
runs-on: ubuntu-latest
#Here we point the job changes, required for this job
needs: changes
#We create a matrix to store the output of each repo (true or false)
#Each filter link with its directory (the directory is use to indicate the scan which directory it has to scan)
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
它有什么作用? 如果 tf 文件在特定路径的 pull-request 上发生了变化,那么它会在这个特定路径上 运行 进行 tfsec 扫描。
解决我的问题: 我在作业中实现了一个矩阵:
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
EXTRA:在我的例子中,“include”参数是将输出分配给它的特定路径。 但是,如果我想结合所有的可能性,我会这样做:
strategy:
matrix:
filter: [Ionos_dev, Ionos_prod, aws, azure]
working_directory: [Ionos_dev, ionos/terraform/prod/, aws/dns/domains/, azure/terraform/prod/]
在这种情况下,它将 运行 所有 9 种可能性。
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/tfsec-sarif-action@v0.1.0
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
这部分我还在努力中。我尝试通过简化为只有一个 'if'
来改进它