Merge pull request #174 from hashgraph/172-update-ci-for-best-practic…

…es-security

ci: Updated CI content for best practices in GHA

.github/CODEOWNERS

@@ -5,3 +5,32 @@
 *                                       @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
 
 
+#########################
+#####  Core Files  ######
+#########################
+
+# NOTE: Must be placed last to ensure enforcement over all other rules
+
+# Protections for nvm
+**/.nvmrc                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+
+# Typescript Protection
+**/package.json                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+**/package-lock.json                            @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+**/tsconfig.json                                @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+
+# Protection Rules for Github Configuration Files and Actions Workflows
+/.github/                                       @hashgraph/release-engineering @hashgraph/release-engineering-managers
+/.github/workflows/                             @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+
+
+# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval)
+/CODEOWNERS                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Protect the repository root files
+/README.md                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+**/LICENSE                                      @hashgraph/release-engineering @hashgraph/release-engineering-managers
+
+# Git Ignore definitions
+**/.gitignore                                   @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/hedera-smart-contracts @hashgraph/dev-experience
+**/.gitignore.*                                 @hashgraph/release-engineering @hashgraph/release-engineering-managers  @hashgraph/hedera-smart-contracts @hashgraph/dev-experience

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10

.github/workflows/chart-lint-test.yaml

@@ -13,26 +13,31 @@ on:
 
 jobs:
   lint-test:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - name: Checkout
-      uses: actions/[email protected].0
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
 
     - name: Setup Helm
-      uses: azure/setup-helm@v3.5
+      uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
       with:
         version: 'v3.13.0'
 
     # ct (chart testing) requires python
     - name: Setup Python
-      uses: actions/setup-python@v4.7.1
+      uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: '3.x'
 
     - name: Install chart-testing
-      uses: helm/[email protected]
+      uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -46,7 +51,7 @@ jobs:
       run: ct lint --config .github/ct.yaml
 
     - name: Create kind cluster
-      uses: helm/kind-action@v1.8.0
+      uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
       if: steps.list-changed.outputs.changed == 'true'
 
     - name: Run chart-testing (install)

.github/workflows/flow-pr-title-check.yaml

@@ -35,11 +35,16 @@ concurrency:
 jobs:
   title-check:
     name: Title Check
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     permissions:
       statuses: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Check PR Title
-        uses: aslafy-z/conventional-pr-title-action@v3
+        uses: step-security/conventional-pr-title-action@0eae74515f5a79f8773fa04142dd746df76666ac # v1.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/push-images.yaml

@@ -20,15 +20,20 @@ env:
 
 jobs:
   docker-image-publish:
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     permissions:
       contents: read
       id-token: write
       packages: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: true
       - name: Apply Sourcify server patch customizations
@@ -47,20 +52,20 @@ jobs:
           fi
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: Build and push UI image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: ./ui
           file: ./ui/Dockerfile
@@ -69,7 +74,7 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/ui:${{env.TAG}}
 
       - name: Build and push SERVER image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: ./sourcify
 
@@ -87,7 +92,7 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/server:${{env.TAG}}
 
       - name: Build and Push REPOSITORY Image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: ./h5ai-nginx
 

.github/workflows/tests.yaml

@@ -8,12 +8,18 @@ jobs:
 
   server-ganache:
     name: server over Ganache integration tests
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: Checkout Code
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: true
-      - uses: actions/setup-node@v3
+      - name: Setup node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
       - name: Apply Sourcify server patch customizations
@@ -29,12 +35,20 @@ jobs:
 
   server-local-node:
     name: server over Hedera's local node integration tests
-    runs-on: ubuntu-latest
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+
+      - name: Checkout Code
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           submodules: true
-      - uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 18
       - name: Apply Sourcify server patch customizations
@@ -54,7 +68,7 @@ jobs:
           (npm run server:start&)
 
       - name: Wait for hedera-sourcify server
-        uses: iFaxity/wait-on-action@v1
+        uses: iFaxity/wait-on-action@a7d13170ec542bdca4ef8ac4b15e9c6aa00a6866 # v1.2.1
         with:
           resource: http://127.0.0.1:5555/chains
 

.gitignore

@@ -2,3 +2,6 @@
 
 # Placeholder for volume mount point for the repository.
 /data/
+
+# Ignore .idea
+**/.idea