🧹 Enable dependabot PRs

.github/workflows/integration-tests.yaml

@@ -8,16 +8,24 @@ on:
     secrets:
       MONDOO_CLIENT:
         required: true
+  workflow_run:
+    workflows: ["Unit Tests"]
+    types:
+      - completed
 
 env:
   MONDOO_CLIENT_IMAGE_TAG: ${{ github.event.inputs.mondooClientImageTag }}
 
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions:
+  contents: read
+# Attention: These jobs still have access to all the secrets when triggered by a workflow_run event.
 
 jobs:
   integration-tests:
     runs-on: ubuntu-latest
     name: Integration tests
-
+    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_call'
     strategy:
       fail-fast: false
       matrix:
@@ -27,6 +35,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
         with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
           fetch-depth: 0 # fetch is nneded for "git tag --list" in the Makefile
       - name: Import environment variables from file
         run: cat ".github/env" >> $GITHUB_ENV

.github/workflows/security-tests.yaml

@@ -0,0 +1,51 @@
+name: Security Tests
+on:
+  workflow_call:
+    secrets:
+      MONDOO_CLIENT:
+        required: true
+  workflow_run:
+    workflows: ["Unit Tests"]
+    types:
+      - completed
+
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions:
+  contents: read
+# Attention: These jobs still have access to all the secrets when triggered by a workflow_run event.
+
+jobs:
+  security-tests:
+    runs-on: ubuntu-latest
+    name: Security tests
+    if: github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_call'
+    env:
+      # Use docker.io for Docker Hub if empty
+      REGISTRY: ghcr.io
+      # github.repository as <account>/<repo>
+      IMAGE_NAME: ${{ github.repository }}
+      RELEASE: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+      - name: Scan AWS terraform with Mondoo
+        uses: mondoohq/actions/terraform@main
+        with:
+          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
+          path: ".github/terraform/aws/main.tf"
+      - name: Scan Azure terraform with Mondoo
+        uses: mondoohq/actions/terraform@main
+        with:
+          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
+          path: ".github/terraform/aks/main.tf"
+      - name: Generate manifests
+        run: make generate-manifests IMG='${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE }}'
+      - name: Scan Kubernetes Manifest with Mondoo
+        uses: mondoohq/actions/k8s-manifest@main
+        with:
+          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
+          path: "mondoo-operator-manifests.yaml"

.github/workflows/tests.yaml

@@ -1,4 +1,4 @@
-name: Tests
+name: Unit Tests
 on:
   pull_request:
   push:
@@ -14,6 +14,9 @@ jobs:
     name: Unit tests
     steps:
       - uses: actions/checkout@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
       - name: Import environment variables from file
         run: cat ".github/env" >> $GITHUB_ENV
       - uses: actions/setup-go@v2
@@ -35,43 +38,4 @@ jobs:
         with:
           name: test-results
           path: unit-tests.xml
-  security-tests:
-    needs: [unit-tests]
-    runs-on: ubuntu-latest
-    name: Security tests
-    env:
-      # Use docker.io for Docker Hub if empty
-      REGISTRY: ghcr.io
-      # github.repository as <account>/<repo>
-      IMAGE_NAME: ${{ github.repository }}
-      RELEASE: ${{ github.ref_name }}
-    steps:
-      - uses: actions/checkout@v3
-      - name: Import environment variables from file
-        run: cat ".github/env" >> $GITHUB_ENV
-      - name: Scan AWS Terraform with Mondoo
-        uses: mondoohq/actions/terraform-hcl@main
-        with:
-          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
-          path: ".github/terraform/aws/main.tf"
-      - name: Scan Azure Terraform with Mondoo
-        uses: mondoohq/actions/terraform-hcl@main
-        with:
-          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
-          path: ".github/terraform/aks/main.tf"
-      - name: Generate manifests
-        run: make generate-manifests IMG='${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RELEASE }}'
-      - name: Scan Kubernetes Manifest with Mondoo
-        uses: mondoohq/actions/k8s-manifest@main
-        with:
-          service-account-credentials: ${{ secrets.MONDOO_CLIENT }}
-          path: "mondoo-operator-manifests.yaml"
-  integration-tests:
-    needs: [unit-tests]
-    uses: ./.github/workflows/integration-tests.yaml
-    if: needs.unit-tests.result == 'success' # run only if unit-tests are successful
-    name: Integration tests
-    with:
-      mondooClientImageTag: ""
-    secrets: inherit