From a7c854c18e12fbb7a79eef2539509e741ed01bdd Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 14 Nov 2024 12:13:14 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/check.yaml | 7 +++++-- .github/workflows/docker.yaml | 11 +++++++---- .github/workflows/docs.yaml | 7 +++++-- .../workflows/postgresql-16-ppg-package-pgxs.yml | 15 ++++++++++----- .../workflows/postgresql-16-src-make-macos.yml | 9 ++++++--- .../workflows/postgresql-16-src-make-ssl11.yml | 9 ++++++--- .github/workflows/postgresql-16-src-make.yml | 9 ++++++--- .../workflows/postgresql-16-src-meson-macos.yml | 9 ++++++--- .github/workflows/postgresql-16-src-meson.yml | 9 ++++++--- .github/workflows/postgresql-17-src-make.yml | 9 ++++++--- .../workflows/postgresql-17-src-meson-perf.yml | 8 ++++---- .github/workflows/postgresql-17-src-meson.yml | 9 ++++++--- .github/workflows/postgresql-perf-results.yml | 4 ++-- .../workflows/postgresql-pgdg-package-pgxs.yml | 15 ++++++++++----- .github/workflows/scorecard.yml | 2 +- 15 files changed, 86 insertions(+), 46 deletions(-) diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index f980742b..a55c6bf3 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -2,6 +2,9 @@ name: Checks on: pull_request: +permissions: + contents: read + jobs: format: name: Format @@ -15,13 +18,13 @@ jobs: sudo apt-get install -y libcurl4-openssl-dev - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'REL_17_STABLE' - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'contrib/pg_tde' diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index bc05326f..6ed9121b 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -7,6 +7,9 @@ on: branches: - main +permissions: + contents: read + jobs: build-and-push: name: Build and Push @@ -14,10 +17,10 @@ jobs: steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: file: docker/Dockerfile load: true # Put image in local docker @@ -34,14 +37,14 @@ jobs: - name: Login to Docker Hub if: ${{ github.ref == 'refs/heads/main' }} - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push if: ${{ github.ref == 'refs/heads/main' }} - uses: docker/build-push-action@v6 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: file: docker/Dockerfile push: true diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 61771196..136d59ac 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -6,6 +6,9 @@ on: paths: - "documentation/**" +permissions: + contents: read + jobs: release: name: Release @@ -16,10 +19,10 @@ jobs: steps: - name: Chekout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: "3.x" diff --git a/.github/workflows/postgresql-16-ppg-package-pgxs.yml b/.github/workflows/postgresql-16-ppg-package-pgxs.yml index 120bf610..400c84f0 100644 --- a/.github/workflows/postgresql-16-ppg-package-pgxs.yml +++ b/.github/workflows/postgresql-16-ppg-package-pgxs.yml @@ -5,8 +5,13 @@ on: push: branches: [main] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for ncipollo/release-action to create a release name: pg-16-ppg-package-pgxs-build runs-on: ubuntu-22.04 steps: @@ -55,7 +60,7 @@ jobs: percona-postgis percona-pg-stat-monitor16 - name: Clone pg_tde repository - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: path: 'src/pg_tde' @@ -90,7 +95,7 @@ jobs: working-directory: src/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log @@ -113,7 +118,7 @@ jobs: sudo cp /usr/lib/postgresql/16/lib/pg_tde* pgtde-ppg16/usr/lib/postgresql/16/lib/ - name: Upload tgz - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: pg_tde_ppg16_binary path: pgtde-ppg16 @@ -135,7 +140,7 @@ jobs: sudo dpkg -i --debug=7777 pgtde-ppg16.deb - name: Upload deb - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: pg_tde_deb path: pgtde-ppg16.deb @@ -145,7 +150,7 @@ jobs: cd pgtde-ppg16 && sudo tar -czvf ../pgtde-ppg16.tar.gz . - name: Publish release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 # Only try and deploy on merged code if: "github.repository == 'percona/pg_tde' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'schedule')" with: diff --git a/.github/workflows/postgresql-16-src-make-macos.yml b/.github/workflows/postgresql-16-src-make-macos.yml index fcdf0bb3..2a96d775 100644 --- a/.github/workflows/postgresql-16-src-make-macos.yml +++ b/.github/workflows/postgresql-16-src-make-macos.yml @@ -1,6 +1,9 @@ name: postgresql-16-src-make-macos on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-16-src-make-test @@ -15,14 +18,14 @@ jobs: sudo /usr/bin/perl -MCPAN -e 'install Text::Trim' - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -65,7 +68,7 @@ jobs: working-directory: src/contrib/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-16-src-make-ssl11.yml b/.github/workflows/postgresql-16-src-make-ssl11.yml index 2b7f4a5d..2c20d519 100644 --- a/.github/workflows/postgresql-16-src-make-ssl11.yml +++ b/.github/workflows/postgresql-16-src-make-ssl11.yml @@ -1,6 +1,9 @@ name: postgresql-16-src-make-ssl11 on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-16-src-make-test-ssl11 @@ -34,14 +37,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -82,7 +85,7 @@ jobs: working-directory: src/contrib/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-16-src-make.yml b/.github/workflows/postgresql-16-src-make.yml index 668523d6..41237c49 100644 --- a/.github/workflows/postgresql-16-src-make.yml +++ b/.github/workflows/postgresql-16-src-make.yml @@ -1,6 +1,9 @@ name: postgresql-16-src-make on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-16-src-make-test @@ -34,14 +37,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -82,7 +85,7 @@ jobs: working-directory: src/contrib/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-16-src-meson-macos.yml b/.github/workflows/postgresql-16-src-meson-macos.yml index 72273f1e..0513277f 100644 --- a/.github/workflows/postgresql-16-src-meson-macos.yml +++ b/.github/workflows/postgresql-16-src-meson-macos.yml @@ -1,6 +1,9 @@ name: postgresql-16-src-meson-macos on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-16-src-meson-test @@ -15,14 +18,14 @@ jobs: sudo /usr/bin/perl -MCPAN -e 'install Text::Trim' - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -49,7 +52,7 @@ jobs: working-directory: src/build - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-16-src-meson.yml b/.github/workflows/postgresql-16-src-meson.yml index 4a5166a4..b9f6aabf 100644 --- a/.github/workflows/postgresql-16-src-meson.yml +++ b/.github/workflows/postgresql-16-src-meson.yml @@ -1,6 +1,9 @@ name: postgresql-16-src-meson on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-16-src-meson-test @@ -35,14 +38,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'a81e5516fa4bc53e332cb35eefe231147c0e1749' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -69,7 +72,7 @@ jobs: working-directory: src/build - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-17-src-make.yml b/.github/workflows/postgresql-17-src-make.yml index 8e496de1..0ae70488 100644 --- a/.github/workflows/postgresql-17-src-make.yml +++ b/.github/workflows/postgresql-17-src-make.yml @@ -1,6 +1,9 @@ name: postgresql-17-src-make on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-17-src-make-test @@ -34,14 +37,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'REL_17_STABLE' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -82,7 +85,7 @@ jobs: working-directory: src/contrib/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-17-src-meson-perf.yml b/.github/workflows/postgresql-17-src-meson-perf.yml index c155aca5..60de4ed6 100644 --- a/.github/workflows/postgresql-17-src-meson-perf.yml +++ b/.github/workflows/postgresql-17-src-meson-perf.yml @@ -38,14 +38,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'percona-lab/postgres' ref: 'TDE_REL_17_STABLE' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -68,7 +68,7 @@ jobs: working-directory: src/build - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log @@ -128,7 +128,7 @@ jobs: echo "EOF" >> $GITHUB_ENV working-directory: inst - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: pr_perf_results path: inst/pr_perf_results diff --git a/.github/workflows/postgresql-17-src-meson.yml b/.github/workflows/postgresql-17-src-meson.yml index 2520de64..9c7dfee6 100644 --- a/.github/workflows/postgresql-17-src-meson.yml +++ b/.github/workflows/postgresql-17-src-meson.yml @@ -1,6 +1,9 @@ name: postgresql-17-src-meson on: [pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: name: pg-17-src-meson-test @@ -35,14 +38,14 @@ jobs: sudo apt update && sudo apt install -y vault - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'percona/postgres' ref: 'TDE_REL_17_STABLE' path: 'src' - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src/contrib/pg_tde' @@ -65,7 +68,7 @@ jobs: working-directory: src/build - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log diff --git a/.github/workflows/postgresql-perf-results.yml b/.github/workflows/postgresql-perf-results.yml index 1ff550c4..9ffc48e3 100644 --- a/.github/workflows/postgresql-perf-results.yml +++ b/.github/workflows/postgresql-perf-results.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Download artifact' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ @@ -36,7 +36,7 @@ jobs: unzip pr_perf_results.zip - name: Clone pg_tde repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'src' ref: ${{ github.event.workflow_run.head_branch }} diff --git a/.github/workflows/postgresql-pgdg-package-pgxs.yml b/.github/workflows/postgresql-pgdg-package-pgxs.yml index bed83936..ee624d50 100644 --- a/.github/workflows/postgresql-pgdg-package-pgxs.yml +++ b/.github/workflows/postgresql-pgdg-package-pgxs.yml @@ -5,8 +5,13 @@ on: push: branches: [main] +permissions: + contents: read + jobs: build: + permissions: + contents: write # for ncipollo/release-action to create a release name: pg-pgdg-package-pgxs-build runs-on: ubuntu-24.04 strategy: @@ -48,7 +53,7 @@ jobs: sudo apt -y install postgresql-$POSTGRESQL_VERSION postgresql-server-dev-$POSTGRESQL_VERSION - name: Clone pg_tde repository - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: path: 'src/pg_tde' @@ -87,7 +92,7 @@ jobs: working-directory: src/pg_tde - name: Report on test fail - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() }} with: name: Regressions diff and postgresql log @@ -114,7 +119,7 @@ jobs: - name: Upload tgz env: POSTGRESQL_VERSION: ${{ matrix.postgresql-version }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: pg_tde_pgdg$POSTGRESQL_VERSION_binary path: pgtde-pgdg$POSTGRESQL_VERSION @@ -142,7 +147,7 @@ jobs: - name: Upload deb env: POSTGRESQL_VERSION: ${{ matrix.postgresql-version }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: pg_tde_deb path: pgtde-pgdg$POSTGRESQL_VERSION.deb @@ -154,7 +159,7 @@ jobs: cd pgtde-pgdg$POSTGRESQL_VERSION && sudo tar -czvf ../pgtde-pgdg$POSTGRESQL_VERSION.tar.gz . - name: Publish release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 # Only try and deploy on merged code if: "github.repository == 'percona/pg_tde' && github.ref_name == 'main' && (github.event_name == 'push' || github.event_name == 'schedule')" with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cb2777b6..2bab53a3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -43,6 +43,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: results.sarif