@@ -3,7 +3,6 @@ name: "security"
33permissions :
44actions :read
55contents :read
6- security-events :write
76
87on :
98workflow_dispatch :
@@ -23,6 +22,8 @@ concurrency:
2322
2423jobs :
2524codeql :
25+ permissions :
26+ security-events :write
2627runs-on :${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
2728steps :
2829 -name :Harden Runner
6162 "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
6263
6364trivy :
65+ permissions :
66+ security-events :write
6467runs-on :${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
6568steps :
6669 -name :Harden Runner
@@ -95,13 +98,20 @@ jobs:
9598 # protoc must be in lockstep with our dogfood Dockerfile or the
9699 # version in the comments will differ. This is also defined in
97100 # ci.yaml.
98- set -x
101+ set -euxo pipefail
99102 cd dogfood/contents
103+ mkdir -p /usr/local/bin
104+ mkdir -p /usr/local/include
105+
100106 DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
101107 protoc_path=/usr/local/bin/protoc
102108 docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
103109 chmod +x $protoc_path
104110 protoc --version
111+ # Copy the generated files to the include directory.
112+ docker run --rm -v /usr/local/include:/target protoc cp -r /tmp/include/google /target/
113+ ls -la /usr/local/include/google/protobuf/
114+ stat /usr/local/include/google/protobuf/timestamp.proto
105115
106116name :Build Coder linux amd64 Docker image
107117id :build