From 181c0944b210a3f7832d28a50e1672cf97cc7f2c Mon Sep 17 00:00:00 2001 From: Jakob Lichterfeld Date: Tue, 1 Oct 2024 11:34:07 +0200 Subject: [PATCH] ci: pin github action dependencies to protect against supply chain attacks, refactor to use common check_paths workflow --- .github/workflows/buildx.yml | 46 +++++++++++----------------- .github/workflows/check_paths.yml | 42 +++++++++++++++++++++++++ .github/workflows/python_linting.yml | 27 +++++----------- CHANGELOG.md | 1 + 4 files changed, 69 insertions(+), 47 deletions(-) create mode 100644 .github/workflows/check_paths.yml diff --git a/.github/workflows/buildx.yml b/.github/workflows/buildx.yml index f1695f8..c5704ca 100644 --- a/.github/workflows/buildx.yml +++ b/.github/workflows/buildx.yml @@ -11,28 +11,18 @@ on: - "v*" paths: - "**/*" - - "!.github/**" # exclude PRs related to .github from auto-run - - "!.github/workflows/**" # exclude PRs related to .github from auto-run + - "!.github/**" # Important: Exclude PRs related to .github from auto-run + - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run + - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-run env: REGISTRY_IMAGE: teslamatetelegrambot/teslamatetelegrambot +permissions: + contents: read + jobs: check_paths: - runs-on: ubuntu-latest - outputs: - githubfolder: ${{ steps.filter.outputs.githubfolder }} - steps: - - - name: Checkout - uses: actions/checkout@v4 - - - name: Filter paths - uses: dorny/paths-filter@v3.0.2 - id: filter - with: - filters: | - githubfolder: - - '.github/**' + uses: ./.github/workflows/check_paths.yml build: needs: check_paths @@ -53,29 +43,29 @@ jobs: echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 with: images: ${{ env.REGISTRY_IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and push by digest id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0 with: context: . platforms: ${{ matrix.platform }} @@ -89,7 +79,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 #v4.4.0 with: name: digests-${{ env.PLATFORM_PAIR }} path: /tmp/digests/* @@ -103,18 +93,18 @@ jobs: steps: - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 with: images: ${{ env.REGISTRY_IMAGE }} tags: | @@ -125,7 +115,7 @@ jobs: - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/check_paths.yml b/.github/workflows/check_paths.yml new file mode 100644 index 0000000..b1f71b4 --- /dev/null +++ b/.github/workflows/check_paths.yml @@ -0,0 +1,42 @@ +name: Check paths + +on: + workflow_call: + # Map the workflow outputs to job outputs + outputs: + githubfolder: + description: "changes to .github folder" + value: ${{ jobs.check_paths.githubfolder }} + push: + paths: + - "**/*" + - "!.github/**" # Important: Exclude PRs related to .github from auto-run + - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run + - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-run + branches: ["ci"] + pull_request_target: + branches: ["master"] + paths: + - "**/*" + - "!.github/**" # Important: Exclude PRs related to .github from auto-run + - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run + - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-run + +permissions: + contents: read + +jobs: + check_paths: + runs-on: ubuntu-latest + outputs: + githubfolder: ${{ steps.filter.outputs.githubfolder }} + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 + id: filter + with: + base: "master" # needed to set as a called workflow does not have direct access to repository.default_branch + filters: | + githubfolder: + - '.github/**' diff --git a/.github/workflows/python_linting.yml b/.github/workflows/python_linting.yml index a100d19..9df3a29 100644 --- a/.github/workflows/python_linting.yml +++ b/.github/workflows/python_linting.yml @@ -8,27 +8,16 @@ on: - "master" paths: - "**/*" - - "!.github/**" # exclude PRs related to .github from auto-run - - "!.github/workflows/**" # exclude PRs related to .github from auto-run + - "!.github/**" # Important: Exclude PRs related to .github from auto-run + - "!.github/workflows/**" # Important: Exclude PRs related to .github/workflows from auto-run + - "!.github/actions/**" # Important: Exclude PRs related to .github/actions from auto-ru +permissions: + contents: read jobs: check_paths: - runs-on: ubuntu-latest - outputs: - githubfolder: ${{ steps.filter.outputs.githubfolder }} - steps: - - - name: Checkout - uses: actions/checkout@v4 - - - name: Filter paths - uses: dorny/paths-filter@v3.0.2 - id: filter - with: - filters: | - githubfolder: - - '.github/**' + uses: ./.github/workflows/check_paths.yml lint: needs: check_paths @@ -37,10 +26,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0 with: python-version: '3.12' - diff --git a/CHANGELOG.md b/CHANGELOG.md index b42e293..5230e86 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ - build(deps): bump python-telegram-bot from 21.3 to 21.4 (#45) - build(deps): bump python-telegram-bot from 21.4 to 21.6 (#46) - ci: specify python version in GitHub workflow +- ci: pin github action dependencies to protect against supply chain attacks, refactor to use common check_paths workflow ### Bug Fixes