我目前正在為我的集群部署一個安全工具。它運行良好,但我想減少代碼的長度并避免在檔案中重復代碼。
情況如下:
on:
pull_request:
path:
- 'ionos/terraform/dev/*.tf'
- 'ionos/terraform/prod/*/*/*.tf'
jobs:
# JOB to run change detection
changes:
runs-on: ubuntu-latest
# Set job outputs to values from filter step
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
steps:
# For pull requests it's not necessary to checkout the code
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/*/*/*.tf'
重復的部分
Ionos_prod:
name: tfsec sarif report ionos_prod
needs: changes
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/[email protected]
with:
working_directory: ionos/terraform/prod/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
Ionos_dev:
name: tfsec sarif report ionos_dev
needs: changes
if: ${{ needs.changes.outputs.Ionos_dev == 'true' }}
runs-on: ubuntu-latest
steps:
- name: Clone repo
uses: actions/checkout@master
- name: tfsec sarif ionos_dev
uses: aquasecurity/[email protected]
with:
working_directory: ionos/terraform/dev/
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: tfsec.sarif
我有超過 2 個重復的作業,這就是為什么我想把這個作業作為一個變數。
我的問題是我看不到如何將作業創建為變數并將這兩個變數傳遞到剛剛創建的作業中:
if: ${{ needs.changes.outputs.Ionos_prod == 'true' }}
&
working_directory: ionos/terraform/prod/
有什么建議嗎?
uj5u.com熱心網友回復:
經過幾天的研究,并基于該檔案(我之前沒有找到它): https ://docs.github.com/pt/actions/using-jobs/using-a-matrix-for-your-jobs
我終于解決了我的問題。
這是代碼和最后的一些解釋。
on:
pull_request:
types: [synchronize, reopened, labeled]
paths:
- 'aws/dns/domains/**'
- 'ionos/terraform/prod/**'
- 'ionos/terraform/dev/**'
- 'azure/terraform/**'
jobs:
changes:
runs-on: ubuntu-latest
#Outputs gives a bool variable. If a file in the path has been change -- true
outputs:
Ionos_dev: ${{ steps.filter.outputs.Ionos_dev }}
Ionos_prod: ${{ steps.filter.outputs.Ionos_prod }}
aws: ${{ steps.filter.outputs.aws }}
azure: ${{ steps.filter.outputs.azure }}
steps:
#Use of an action which check if a file in a path has been change.
- uses: dorny/paths-filter@v2
id: filter
with:
filters: |
Ionos_dev:
- 'ionos/terraform/dev/**/*.tf'
Ionos_prod:
- 'ionos/terraform/prod/**/*.tf'
aws:
- 'aws/dns/domains/**/*.tf'
azure:
- 'azure/terraform/prod/**/*.tf'
tfsec_scan_matrix:
name: tfsec_sarif_report_all_directory
runs-on: ubuntu-latest
#Here we point the job changes, required for this job
needs: changes
#We create a matrix to store the output of each repo (true or false)
#Each filter link with its directory (the directory is use to indicate the scan which directory it has to scan)
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/[email protected]
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
它有什么作用?如果 tf 檔案已在特定路徑中的拉取請求上發生更改,則它將在此特定路徑上運行 tfsec 掃描。
為了解決我的問題: 我在作業中實作了一個矩陣:
strategy:
matrix:
include:
- filters: ${{ needs.changes.outputs.Ionos_dev }}
working_directory: ionos/terraform/dev/
- filters: ${{ needs.changes.outputs.Ionos_prod }}
working_directory: ionos/terraform/prod/
- filters: ${{ needs.changes.outputs.aws }}
working_directory: aws/dns/domains/
- filters: ${{ needs.changes.outputs.azure }}
working_directory: azure/terraform/prod/
EXTRA:在我的例子中,“include”引數是為它的特定路徑分配一個輸出。但是,如果我想結合所有可能性,我會這樣做:
strategy:
matrix:
filter: [Ionos_dev, Ionos_prod, aws, azure]
working_directory: [Ionos_dev, ionos/terraform/prod/, aws/dns/domains/, azure/terraform/prod/]
在這種情況下,它將運行所有 9 種可能性。
steps:
#if the path has been modified, then clone repo, same thing for the others steps
- if: ${{ matrix.filters == 'true' }}
name: Clone repo
uses: actions/checkout@master
- if: ${{ matrix.filters == 'true' }}
name: tfsec sarif ionos_dev
uses: aquasecurity/[email protected]
with:
working_directory: ${{ matrix.working_directory }}
sarif_file: tfsec.sarif
- if: ${{ matrix.filters == 'true' }}
name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
對于這部分,我仍在努力。我試圖通過簡化為只有一個“如果”來改進它
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/473849.html