[SDL] Fix OpenSSF (#111)

* Fix GH workflows * Add security policy
openvinotoolkit · Jun 18, 2024 · e0c50e6 · e0c50e6
1 parent 2fb4b0e
commit e0c50e6
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 7 deletions.
diff --git a/.github/workflows/check-pr-name.yml b/.github/workflows/check-pr-name.yml
@@ -2,16 +2,17 @@ name: "Check Pull Request Name"
 
 on: [pull_request, push]
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   pr-name-check:
     name: Check Pull Request Name
     runs-on: ubuntu-20.04
     if: github.event_name == 'pull_request'
-
     steps:
       - name: Compare PR Name to the Template
-        uses: actions/github-script@v5
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const prNameRegExp = /^(?:\[\d+\]\s?)+\w+.*/;

diff --git a/.github/workflows/code-style.yml b/.github/workflows/code-style.yml
@@ -1,4 +1,5 @@
 name: Code Style
+
 on:
   push:
     branches:
@@ -7,15 +8,17 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   pylint-code-check:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
         python-version: [ 3.8 ]
-
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Install dependencies
         run: |
           sudo apt install python3-setuptools

diff --git a/.github/workflows/update-pr-branch.yml b/.github/workflows/update-pr-branch.yml
@@ -1,22 +1,27 @@
 name: 'Update PR Branch on PR Comment'
+
 on:
   issue_comment:
     types: [created]
+
+permissions:
+  contents: read
+
 jobs:
   update_pr_branch:
     name: Update PR Branch on PR Comment
     if: github.event.issue.pull_request != '' && github.event.comment.body == '/update'
     runs-on: ubuntu-latest
     steps:
       - name: Fetch latest code
-        uses: actions/checkout@v2
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           token: ${{ secrets.ACTIONS_PAT }}
           fetch-depth: 0
           submodules: 'true'
       - name: Fetch PR and target branch names
         id: fetch_pr_and_target_branch
-        uses: actions/github-script@v3
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Report a Vulnerability
+
+Please report security issues or vulnerabilities to the [Intel® Security Center].
+
+For more information on how Intel® works to resolve security issues, see
+[Vulnerability Handling Guidelines].
+
+[Intel® Security Center]:https://www.intel.com/security
+
+[Vulnerability Handling Guidelines]:https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html