From 5399ba77774140ef493b94c2e0c93946615abcef Mon Sep 17 00:00:00 2001 From: Marc Ransome Date: Mon, 25 Mar 2024 19:57:08 +0000 Subject: [PATCH] Harden workflow runners --- .github/workflows/codeql-analysis.yml | 36 ++++--- .github/workflows/dependency-review.yml | 4 + .github/workflows/markdown-links.yml | 34 ++++--- .github/workflows/openssf-scorecard.yml | 4 + .github/workflows/release.yml | 123 +++++++++++++----------- 5 files changed, 115 insertions(+), 86 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2a0cbd3..12658ca 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,19 +19,23 @@ jobs: permissions: security-events: write steps: - - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Install dependencies - run: brew install popt - - name: Initialize CodeQL - uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - with: - languages: cpp - queries: security-and-quality - source-root: src - - name: Build sources - run: | - cmake -S . -B build - cmake --build build - - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Install dependencies + run: brew install popt + - name: Initialize CodeQL + uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + languages: cpp + queries: security-and-quality + source-root: src + - name: Build sources + run: | + cmake -S . -B build + cmake --build build + - name: Perform CodeQL analysis + uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index cc7f03b..03532fa 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -12,6 +12,10 @@ jobs: permissions: pull-requests: write steps: + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Dependency review diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml index 3daee2e..38a7580 100644 --- a/.github/workflows/markdown-links.yml +++ b/.github/workflows/markdown-links.yml @@ -19,18 +19,22 @@ jobs: markdown-links: runs-on: ubuntu-latest steps: - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Check links in modified Markdown files - if: github.event_name == 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 - with: - base-branch: main - check-modified-files-only: yes - use-verbose-mode: yes - config-file: .github/markdown/markdown-links.json - - name: Check links in all Markdown files - if: github.event_name != 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 - with: - use-verbose-mode: yes - config-file: .github/markdown/markdown-links.json + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Check links in modified Markdown files + if: github.event_name == 'pull_request' + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 + with: + base-branch: main + check-modified-files-only: yes + use-verbose-mode: yes + config-file: .github/markdown/markdown-links.json + - name: Check links in all Markdown files + if: github.event_name != 'pull_request' + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 + with: + use-verbose-mode: yes + config-file: .github/markdown/markdown-links.json diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 1ab0406..a86e254 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -16,6 +16,10 @@ jobs: security-events: write # Needed to upload the results to code scanning dashboard id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below) steps: + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebeeab3..6890aa9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,61 +20,65 @@ jobs: sha256-filename-darwin-arm64: ${{ steps.checksum.outputs.sha256-filename-darwin-arm64 }} sha256-filename-darwin-x86_64: ${{ steps.checksum.outputs.sha256-filename-darwin-x86_64 }} steps: - - name: Checkout repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Install runtime dependencies - run: brew install popt - - name: Install test dependencies - run: brew install cmocka - - name: Install build tools - run: brew install just pandoc - - id: arch - name: Get machine hardware name - run: | - set -euo pipefail - arch=$(uname -m) - if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then - echo "Unexpected machine hardware name: ${arch}" - exit 1 - fi - echo "name=${arch}" >> "${GITHUB_OUTPUT}" - - id: artifact - name: Generate build artifact - env: - ARCHITECTURE: ${{ steps.arch.outputs.name }} - run: | - set -euo pipefail - just package "${GITHUB_REF_NAME}" - artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz" - if [[ ! -f "${artifact}" ]]; then - echo "Failed to generated expected build artifact: ${artifact}" - fi - echo "name=${artifact}" >> "${GITHUB_OUTPUT}" - echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}" - - id: checksum - name: Generate build artifact SHA-256 checksum file - env: - ARCHITECTURE: ${{ steps.arch.outputs.name }} - ARTIFACT_NAME: ${{ steps.artifact.outputs.name }} - run: | - set -euo pipefail - shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256" - echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}" - echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}" - - name: Upload build artifact - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: ${{ steps.artifact.outputs.name }} - path: ${{ steps.artifact.outputs.name }} - if-no-files-found: error - retention-days: 7 - - name: Upload SHA-256 checksum file - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 - with: - name: ${{ steps.artifact.outputs.name }}.sha256 - path: ${{ steps.artifact.outputs.name }}.sha256 - if-no-files-found: error - retention-days: 7 + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Install runtime dependencies + run: brew install popt + - name: Install test dependencies + run: brew install cmocka + - name: Install build tools + run: brew install just pandoc + - id: arch + name: Get machine hardware name + run: | + set -euo pipefail + arch=$(uname -m) + if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then + echo "Unexpected machine hardware name: ${arch}" + exit 1 + fi + echo "name=${arch}" >> "${GITHUB_OUTPUT}" + - id: artifact + name: Generate build artifact + env: + ARCHITECTURE: ${{ steps.arch.outputs.name }} + run: | + set -euo pipefail + just package "${GITHUB_REF_NAME}" + artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz" + if [[ ! -f "${artifact}" ]]; then + echo "Failed to generated expected build artifact: ${artifact}" + fi + echo "name=${artifact}" >> "${GITHUB_OUTPUT}" + echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}" + - id: checksum + name: Generate build artifact SHA-256 checksum file + env: + ARCHITECTURE: ${{ steps.arch.outputs.name }} + ARTIFACT_NAME: ${{ steps.artifact.outputs.name }} + run: | + set -euo pipefail + shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256" + echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}" + echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}" + - name: Upload build artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: ${{ steps.artifact.outputs.name }} + path: ${{ steps.artifact.outputs.name }} + if-no-files-found: error + retention-days: 7 + - name: Upload SHA-256 checksum file + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: ${{ steps.artifact.outputs.name }}.sha256 + path: ${{ steps.artifact.outputs.name }}.sha256 + if-no-files-found: error + retention-days: 7 combine-checksums: needs: [build] runs-on: ubuntu-latest @@ -83,7 +87,12 @@ jobs: env: CHECKSUMS: ${{ toJSON(needs.build.outputs) }} steps: + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - id: checksums + name: Combine SHA-256 checksums run: | set -euo pipefail echo "${CHECKSUMS}" | jq -r 'with_entries(select(.key | match("sha256-checksum-.*-.*")))[] | @base64d' | sed "/^$/d" > checksums.txt @@ -106,6 +115,10 @@ jobs: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') steps: + - name: Harden runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit - name: Download x86_64 build artifact uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: