add new job with all checks

kudelskisecurity · Oct 20, 2023 · 3a1060a · 3a1060a
1 parent 0dd792d
commit 3a1060a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/.github/workflows/test_custom_executor.yml b/.github/workflows/test_custom_executor.yml
@@ -24,4 +24,41 @@ jobs:
     steps:
       - name: Check out Repository
         uses: actions/checkout@v4
-      - run: echo "Job is run after YSNP verification using only user check!"
+      - run: echo "Job is run after YSNP verification using only user check!"
+
+  Test-job-all-checks-YSNP:
+    runs-on: self-hosted
+    container:
+      image: alpine:3.18.4@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
+    steps:
+      - name: Check out Repository
+        uses: actions/checkout@v4
+      - run: echo "Job is run after YSNP verification using image + script + hash check!"
+
+# this is the youshallnotpass_config on Vault
+# echo -n '{
+#   "jobs": [
+#     {
+#       "jobName": "Test-job-only-ask-mfa-YSNP",
+#       "checks": [
+#         {
+#           "name": "mfaRequired"
+#         }
+#       ]
+#     },
+#     {
+#       "jobName": "Test-job-all-checks-YSNP",
+#       "checks": [
+#         {
+#           "name": "mfaRequired"
+#         },
+#         {
+#           "name": "imageHash"
+#         },
+#         {
+#           "name": "scriptHash"
+#         }
+#       ]
+#     }
+#   ]
+# }' | vault kv put your_mount_root/your_github_username_or_organization/project_name/youshallnotpass_config -
diff --git a/custom_executors/github_custom_executor/before_script.sh b/custom_executors/github_custom_executor/before_script.sh
@@ -66,13 +66,24 @@ export CI_JOB_NAME="$GITHUB_JOB"
 export CI_USER_EMAIL="$GITHUB_ACTOR"
 
 # Clone the workflow's repo
-if [[ ! -d "${GITHUB_WORKSPACE}" || -z "${GITHUB_WORKSPACE}" ]]; then
+# For some reason, the repo is not yet cloned at this stage and GITHUB_TOKEN is not available
+# TODO: improve me
+if [[ ! -d "${GITHUB_WORKSPACE}" || -z "$(ls -A ${GITHUB_WORKSPACE})" ]]; then
     # set those variables in profile.sh to git clone a private repo
     if [ -n "${GITHUB_USER}" ] && [ -n "${GITHUB_TOKEN}" ]; then
         git clone "https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}" "${GITHUB_WORKSPACE}"
     else
         git clone "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}" "${GITHUB_WORKSPACE}"
     fi
+else
+    # repo already exists, force update it
+    cd "${GITHUB_WORKSPACE}"
+    if [ -n "${GITHUB_USER}" ] && [ -n "${GITHUB_TOKEN}" ]; then
+        git remote set-url origin "https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}"
+    fi
+    git fetch --all
+    # fails sometimes...
+    # git reset --hard "${GITHUB_REF}"
 fi
 
 # Checkout the current sha