Refactor and improve documentation, add examples
This commit is contained in:
JY Tan
36
docs/recipes/ci.md
Normal file
36
docs/recipes/ci.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# Recipe: CI jobs
|
||||
|
||||
Goal: make CI steps safer by default: minimal egress and controlled writes.
|
||||
|
||||
## Suggested baseline
|
||||
|
||||
```json
|
||||
{
|
||||
"network": {
|
||||
"allowedDomains": []
|
||||
},
|
||||
"filesystem": {
|
||||
"allowWrite": [".", "/tmp"]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Run:
|
||||
|
||||
```bash
|
||||
fence --settings ./fence.json -c "make test"
|
||||
```
|
||||
|
||||
## Add only what you need
|
||||
|
||||
Use monitor mode to discover what a job tries to reach:
|
||||
|
||||
```bash
|
||||
fence -m --settings ./fence.json -c "make test"
|
||||
```
|
||||
|
||||
Then allowlist only:
|
||||
|
||||
- your artifact/cache endpoints
|
||||
- the minimum package registries required
|
||||
- any internal services the job must access
|
||||
Reference in New Issue
Block a user