Updated everything to for best practices/security.

Signed-off-by: Roger Barker <[email protected]>
hashgraph · Apr 24, 2024 · e48ddb9 · e48ddb9
1 parent 15f086c
commit e48ddb9
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 19 deletions.
diff --git a/.github/workflows/auth-layer-chart-install.yml b/.github/workflows/auth-layer-chart-install.yml
@@ -7,15 +7,36 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   install:
-    runs-on: ubuntu-latest
+    name: Install
+    runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           fetch-depth: 0
 
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
       - name: Install k3d
         run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
 
@@ -24,10 +45,10 @@ jobs:
         timeout-minutes: 3
 
       - name: Set up Docker Qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Install ct
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Install chart
         run: ct install --helm-extra-args="--timeout 10m" --helm-extra-set-args="--set=global.auth.clientSecret=abcd1234" --charts charts/hedera-the-graph-auth-layer --config .github/ct.yaml
diff --git a/.github/workflows/charts-lint.yml b/.github/workflows/charts-lint.yml
@@ -7,15 +7,36 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    name: Lint
+    runs-on: [ self-hosted, Linux, medium, ephemeral ]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
 
       - name: Install ct
-        uses: helm/[email protected]
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Run lint
         run: ct lint --config .github/ct.yaml --all
diff --git a/.github/workflows/hedera-the-graph-chart-install.yml b/.github/workflows/hedera-the-graph-chart-install.yml
@@ -7,16 +7,36 @@ on:
     branches: [ main, release/*]
     tags: [ v* ]
 
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
   install:
-    runs-on: ubuntu-latest
-    # runs-on: [self-hosted, Linux, medium, ephemeral] # this will be enabled once we configure a self-hosted runner
+    name: Install
+    runs-on: [self-hosted, Linux, medium, ephemeral]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Setup Python
+        uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
+        with:
+          python-version: "3.10"
+
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           fetch-depth: 0
 
+      - name: Install Helm
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+
       - name: Install k3d
         run: curl --retry 3 -fsL https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
 

diff --git a/.github/workflows/proxy-tests.yml b/.github/workflows/proxy-tests.yml
@@ -16,16 +16,16 @@ permissions:
 
 jobs:
     proxy-tests:
-        runs-on: ubuntu-latest
-        # runs-on: [self-hosted, Linux, medium, ephemeral] # this will be enabled once we configure a self-hosted runner
+        name: Proxy Tests
+        runs-on: [self-hosted, Linux, medium, ephemeral]
         steps:
             - name: Harden Runner
               uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
               with:
                 egress-policy: audit
 
             - name: Checkout repository
-              uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+              uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
             - name: Install Lua
               uses: leafo/gh-actions-lua@35bcb06abec04ec87df82e08caa84d545348536e # v10.0.0

diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
@@ -18,8 +18,8 @@ env:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
-    # runs-on: [self-hosted, Linux, medium, ephemeral] # this will be enabled once we configure a self-hosted runner
+    name: Publish
+    runs-on: [self-hosted, Linux, medium, ephemeral]
 
     steps:
       - name: Harden Runner
@@ -28,7 +28,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0

diff --git a/.github/workflows/release-production.yml b/.github/workflows/release-production.yml
@@ -18,8 +18,8 @@ env:
 
 jobs:
   docker-image-publish:
-    runs-on: ubuntu-latest
-    # runs-on: [self-hosted, Linux, medium, ephemeral] # this will be enabled once we configure a self-hosted runner
+    name: Publish Docker Image
+    runs-on: [self-hosted, Linux, medium, ephemeral]
 
     steps:
       - name: Harden Runner
@@ -28,7 +28,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Get tag
         run: echo "TAG=${GITHUB_REF#refs/*/v}" >> $GITHUB_ENV