[StepSecurity] Apply security best practices

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/containers.yml

@@ -16,10 +16,15 @@ jobs:
     outputs:
       files-changed: ${{ steps.detect-files-changed.outputs.all_changed_files }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Detect files changed
         id: detect-files-changed
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44.5.7
         with:
           separator: ','
 
@@ -34,15 +39,20 @@ jobs:
       id-token: write
       security-events: write
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login at GCP Artifact Registry
-        uses: celo-org/reusable-workflows/.github/actions/auth-gcp-artifact-registry@main
+        uses: celo-org/reusable-workflows/.github/actions/auth-gcp-artifact-registry@75d00a351905bfee73a7f11bf2ae7c6bae70fddc # main
         with:
           workload-id-provider: projects/1094498259535/locations/global/workloadIdentityPools/gh-charts-main/providers/github-by-repos
           service-account: [email protected]
           docker-gcp-registries: us-west1-docker.pkg.dev
       - name: Build and push container
-        uses: celo-org/reusable-workflows/.github/actions/build-container@main
+        uses: celo-org/reusable-workflows/.github/actions/build-container@75d00a351905bfee73a7f11bf2ae7c6bae70fddc # main
         with:
           platforms: linux/amd64,linux/arm64
           registry: us-west1-docker.pkg.dev/devopsre/dev-images/health-checker

.github/workflows/helm_deploy_call.yml

@@ -35,6 +35,9 @@ env:
   KUBE_CONFIG_PATH: /home/runner/.kube/config
   USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
 
+permissions:
+  contents: read
+
 jobs:
   helmfile:
     name: Helm Deploy
@@ -44,47 +47,52 @@ jobs:
       contents: read
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
       - name: Export Environment Variables
-        uses: cardinalby/export-env-action@v2
+        uses: cardinalby/export-env-action@b16a08b396d047e3f9e1446e3946440e2be02a73 # v2
         with:
           envFile: ./.github/workflows/.env
 
       - id: 'auth-gcp-no-main'
         name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5'
         with:
           workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ inputs.service-account }}
         if: github.ref != 'refs/heads/main'
 
       - id: 'auth-gcp-main'
         name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5'
         with:
           workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER_MASTER }}
           service_account: ${{ inputs.service-account }}
         if: github.ref == 'refs/heads/main'
 
       - name: 'Set up Cloud SDK'
         if: ${{ inputs.run-gke-credentials }}
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1'
         with:
           install_components: 'core,gke-gcloud-auth-plugin,kubectl'
           project_id: ${{ inputs.project }}
 
       - name: 'Get GKE credentials'
-        uses: google-github-actions/get-gke-credentials@v2
+        uses: google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116 # v2.2.1
         with:
           cluster_name: ${{ inputs.cluster-name }}
           location: ${{ inputs.cluster-location }}
 
       - name: Setup helmfile
-        uses: mamezou-tech/[email protected]
+        uses: mamezou-tech/setup-helmfile@03233e1cd9b19b2ba320e431f7bcc0618db4248d # v2.0.0
 
       - name: Run helmfile
         run: helmfile --color --file ${{ inputs.helmfile }} ${{ inputs.action }} --context 10

.github/workflows/helm_release.yml

@@ -17,6 +17,9 @@ on:
 env:
   HELM_VERSION: "v3.14.1"
 
+permissions:
+  contents: read
+
 jobs:
   helm-release:
     runs-on: 'ubuntu-latest'
@@ -25,23 +28,28 @@ jobs:
       contents: 'read'
       id-token: 'write'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout main branch"
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: "Install Helm"
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: "${{ env.HELM_VERSION }}"
 
       - name: 'Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v2'
+        uses: 'google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5'
         with:
           workload_identity_provider: projects/1094498259535/locations/global/workloadIdentityPools/gh-charts-main/providers/github-by-repos
           service_account: '[email protected]'
 
       # Gcloud CLI required for login to Artifact Registry
       - name: 'Set up Cloud SDK'
-        uses: 'google-github-actions/setup-gcloud@v2'
+        uses: 'google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1'
 
       - name: Add Helm repositories
         run: |
@@ -70,7 +78,7 @@ jobs:
           done
 
       - name: "Get Helm Charts changed"
-        uses: jitterbit/get-changed-files@v1
+        uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1
         id: updated_files
         with:
           format: csv

.github/workflows/helm_test.yml

@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   # Only run tests and generate docs if Helm files have changed.
   helm-change:
@@ -16,8 +19,13 @@ jobs:
     outputs:
       charts-change: ${{ steps.filter.outputs.charts-change }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Check charts files changes"
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: filter
         with:
           filters: |
@@ -41,24 +49,29 @@ jobs:
       contents: read
       id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout current PR"
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
       - name: "Install Helm"
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: "${{ env.HELM_VERSION }}"
 
       - name: "Install Python 3"
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
         with:
           python-version: '3.9'
           check-latest: true
 
       - name: "Set up chart-testing"
-        uses: helm/chart-testing-action@v2
+        uses: helm/chart-testing-action@b43128a8b25298e1e7b043b78ea6613844e079b1 # v2.6.0
 
       - name: "Run chart-testing (list-changed)"
         id: list-changed
@@ -76,7 +89,7 @@ jobs:
 
       - name: "Create kind cluster"
         if: steps.list-changed.outputs.changed == 'true'
-        uses: helm/[email protected]
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
 
       - name: "Install dependencies - Kong CRDs"
         if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed_charts, 'charts/kong-celo-fullnode')
@@ -104,14 +117,14 @@ jobs:
 
       - name: "Authenticate to Google Cloud"
         if: steps.list-changed.outputs.changed == 'true'
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5
         with:
           workload_identity_provider: projects/1094498259535/locations/global/workloadIdentityPools/gh-charts/providers/github-by-repos
           service_account: '[email protected]'
 
       - name: "Set up Cloud SDK"
         if: steps.list-changed.outputs.changed == 'true'
-        uses: google-github-actions/setup-gcloud@v2
+        uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
 
       - name: "Login to Artifact Registry"
         if: steps.list-changed.outputs.changed == 'true'
@@ -181,7 +194,7 @@ jobs:
           done
 
       - name: "Setup tmate session"
-        uses: mxschmitt/action-tmate@v3
+        uses: mxschmitt/action-tmate@a283f9441d2d96eb62436dc46d7014f5d357ac22 # v3.17
         timeout-minutes: 30
         if: false
         with:
@@ -206,17 +219,22 @@ jobs:
     permissions:
       id-token: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Get GitHub Token from Akeyless"
         id: get_auth_token
         uses:
-          docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest
+          docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest@sha256:87467fdd034c6897a32ff1478fb9368a8aacb0d49bbeb8cac87e3cdbcf0a88f3
         with:
           api-url: https://api.gateway.akeyless.celo-networks-dev.org
           access-id: p-kf9vjzruht6l
           dynamic-secrets: '{"/dynamic-secrets/keys/github/charts/contents=write,pull_requests=write":"PAT"}'
 
       - name: "Checkout current PR"
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           token: ${{ env.PAT }}
 
@@ -232,7 +250,7 @@ jobs:
           helm-docs
 
       - name: Install YQ
-        uses: dcarbone/[email protected]
+        uses: dcarbone/install-yq-action@64b1b9eb28920bb1a4c13c05321df284f9a8f940 # v1.1.1
 
       - name: "Regenerate list of charts"
         run: |
@@ -268,7 +286,7 @@ jobs:
           update_markdown "README.md"
 
       - name: "Commit updated README.md to the branch if changed"
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         with:
           commit_message: '[Automatic] - Update chart README.md'
           file_pattern: 'README.md charts/**/README.md charts-private/**/README.md'

.github/workflows/pr.yaml

@@ -13,7 +13,12 @@ jobs:
     concurrency: ci-${{ github.ref }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
         with:
           warn-only: true

.github/workflows/scorecard.yml

@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -68,6 +73,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
         with:
           sarif_file: results.sarif

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace