From 62c597cf01f1bac4edaeed8905ea4106a3427f04 Mon Sep 17 00:00:00 2001 From: Dylan Ratcliffe Date: Fri, 26 Dec 2025 17:04:06 +0000 Subject: [PATCH 1/3] Allow us to target non-main branches for the demo --- .github/workflows/signals-demo.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/signals-demo.yml b/.github/workflows/signals-demo.yml index 646bd852..f5110e80 100644 --- a/.github/workflows/signals-demo.yml +++ b/.github/workflows/signals-demo.yml @@ -11,6 +11,16 @@ on: type: boolean required: false default: false + target_branch: + description: Target branch for pull request (only used when include_needle is true) + type: choice + required: false + default: main + options: + - main + - demo/env0 + - demo/spacelift + - demo/tfc concurrency: group: signals-demo @@ -261,6 +271,10 @@ jobs: env: GH_TOKEN: ${{ secrets.GH_PAT }} run: | + # Use target_branch input if provided, otherwise default to main + TARGET_BRANCH="${{ github.event.inputs.target_branch || 'main' }}" + echo "Creating PR targeting branch: $TARGET_BRANCH" + BODY="$(printf '%s\n' \ '## Summary' \ '- Narrow internal ingress CIDR used for service/monitoring access.' \ @@ -276,7 +290,7 @@ jobs: )" gh pr create \ - --base main \ + --base "$TARGET_BRANCH" \ --head "$BRANCH" \ --title "security: narrow internal ingress CIDR (JIRA-4521)" \ --body "$BODY" From 332a9549911d385ab583ed74b5deffb7f9b7ecea Mon Sep 17 00:00:00 2001 From: Dylan Ratcliffe Date: Fri, 26 Dec 2025 17:15:33 +0000 Subject: [PATCH 2/3] Restrict automatic workflow to main branch only --- .github/workflows/automatic.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/automatic.yml b/.github/workflows/automatic.yml index 1339ba07..53fb499a 100644 --- a/.github/workflows/automatic.yml +++ b/.github/workflows/automatic.yml @@ -18,7 +18,7 @@ jobs: policy-checks: runs-on: ubuntu-latest - if: github.event.action != 'closed' + if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main' needs: execute permissions: contents: read @@ -51,6 +51,7 @@ jobs: execute: runs-on: ubuntu-latest + if: github.event.pull_request.base.ref == 'main' outputs: run-url: ${{ steps.submit-plan.outputs.run-url }} permissions: @@ -139,7 +140,7 @@ jobs: cost-analysis: runs-on: ubuntu-latest - if: github.event.action != 'closed' + if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main' permissions: contents: read id-token: write @@ -168,7 +169,7 @@ jobs: auto-approval: runs-on: ubuntu-latest - if: github.event.action != 'closed' + if: github.event.action != 'closed' && github.event.pull_request.base.ref == 'main' needs: execute permissions: pull-requests: write From 55f43d3c7a61df9ae568ce78d56df0b9b4b6002b Mon Sep 17 00:00:00 2001 From: Platform Automation Date: Fri, 26 Dec 2025 17:16:19 +0000 Subject: [PATCH 3/3] security: narrow internal ingress CIDR (JIRA-4521) --- main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 1650a570..dd6fb83d 100644 --- a/main.tf +++ b/main.tf @@ -67,6 +67,11 @@ module "shared_security_group" { # Customer API access configuration locals { api_customer_cidrs = { + newco_8 = { + cidr = "203.0.113.108/32" + name = "NewCo 8" + } + newco_7 = { cidr = "203.0.113.107/32" name = "NewCo 7" @@ -124,7 +129,7 @@ locals { } } - api_internal_cidr = "10.0.0.0/8" + api_internal_cidr = "10.0.0.0/16" # SECURITY HARDENING: Narrowed to VPC CIDR per audit findings api_domain = "signals-demo-test.demo" api_alert_email = "alerts@example.com" }