Skip to content

docs: update git ref #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
May 16, 2025
Merged

docs: update git ref #2

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
08f6643
docs: update git ref
westonplatter May 9, 2025
f912c00
chore: update with the latest template state
westonplatter May 15, 2025
241227a
fix: template updates
westonplatter May 15, 2025
68fe5e3
fix: update with https://github.com/masterpointio/terraform-module-te…
westonplatter May 15, 2025
c14e2df
Merge branch 'main' into feat/readme-refinement
westonplatter May 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 6 additions & 23 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
push:
branches:
- main
pull_request:
pull_request_target:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Potential security risk: pull_request_target exposes elevated permissions to untrusted code
Using pull_request_target causes workflows to run with write permissions in the context of the base branch, which can be exploited by malicious PRs from forks. Consider switching back to pull_request or adding an if guard on the job to only run when the PR originates from the same repository.

Example mitigation:

 jobs:
   tf-test:
+    if: github.event.pull_request.head.repo.full_name == github.repository
     name: 🧪 ${{ matrix.tf }} test
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
pull_request_target:
jobs:
tf-test:
if: github.event.pull_request.head.repo.full_name == github.repository
name: 🧪 ${{ matrix.tf }} test
runs-on: ubuntu-latest
🤖 Prompt for AI Agents 
In .github/workflows/test.yaml at line 7, the use of pull_request_target poses a
security risk by granting elevated permissions to untrusted code from forked
PRs. To fix this, replace pull_request_target with pull_request to limit
permissions, or add a conditional check in the job to ensure it only runs when
the PR originates from the same repository, preventing execution of potentially
malicious code from forks.


permissions:
actions: read
Expand All @@ -15,31 +15,14 @@ permissions:

jobs:
tf-test:
name: ${{ matrix.tf }} Test
name: 🧪 ${{ matrix.tf }} test
runs-on: ubuntu-latest
strategy:
matrix:
tf: [tofu, terraform]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Aqua Cache
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
if: ${{ !github.event.act }} # Don't enable the cache step if we're using act for testing
with:
path: ~/.local/share/aquaproj-aqua
key: v1-aqua-installer-${{runner.os}}-${{runner.arch}}-${{hashFiles('aqua.yaml')}}
restore-keys: |
v1-aqua-installer-${{runner.os}}-${{runner.arch}}-

- name: Install Aqua
uses: aquaproj/aqua-installer@5e54e5cee8a95ee2ce7c04cb993da6dfad13e59c # v3.2.1
- uses: masterpointio/github-action-tf-test@c3b619f3bca9e4f482b9e0fb3166ab3f02d9d54c # v1.0.0
with:
aqua_version: v2.48.1

- name: Aqua Install
shell: bash
run: aqua install --tags ${{ matrix.tf }}

- run: ${{ matrix.tf }} init
- run: ${{ matrix.tf }} test
tf_type: ${{ matrix.tf }}
aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright 2024 Masterpoint
Copyright 2025 Masterpoint

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

## Purpose and Functionality

This repository serves as a child module for managing Postgres Logical Databases and Roles
This repository serves as a [child module](https://opentofu.org/docs/language/modules/#child-modules) for managing Postgres Logical Databases, Users, and Roles.

## Usage

Expand All @@ -33,7 +33,7 @@ provider "postgresql" {
}
module "postgres_automation" {
source = "git::https://github.com/masterpointio/terraform-postgres-automation.git?ref=main"
source = "git::https://github.com/masterpointio/terraform-postgres-config-dbs-users-roles.git?ref=main"
databases = [
{
Expand Down