[StepSecurity] Apply security best practices #306
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Matrix Example | |
| permissions: | |
| contents: read | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| changed-files: | |
| name: Get changed files | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.changed-files.outputs.all_changed_files }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: ./ | |
| with: | |
| matrix: true | |
| - name: List all changed files | |
| run: echo '${{ steps.changed-files.outputs.all_changed_files }}' | |
| matrix-job: | |
| name: Run Matrix Job | |
| runs-on: ubuntu-latest | |
| needs: [changed-files] | |
| strategy: | |
| matrix: | |
| files: ${{ fromJSON(needs.changed-files.outputs.matrix) }} | |
| max-parallel: 4 | |
| fail-fast: false | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Test | |
| run: | | |
| echo ${{ matrix.files }} | |
| conditional-job: | |
| name: Run Conditional Job | |
| runs-on: ubuntu-latest | |
| needs: [changed-files] | |
| if: contains(needs.changed-files.outputs.matrix, 'README.md') # Conditional check for README | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Execute Conditional Logic | |
| run: | | |
| echo "README.md has been changed. Running conditional job." | |