From c76ef9757bfe99c748544e70dc753285cbffa864 Mon Sep 17 00:00:00 2001 From: Miguel Nieto A <39246879+miguelnietoa@users.noreply.github.com> Date: Fri, 23 Dec 2022 11:53:11 -0500 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#71) * Rename CI.yml to ci.yml * Rename CD.yml to cd.yml * [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot Signed-off-by: StepSecurity Bot Co-authored-by: StepSecurity Bot --- .github/workflows/{CD.yml => cd.yml} | 14 +++++++++++--- .github/workflows/{CI.yml => ci.yml} | 16 +++++++++++++--- .github/workflows/scorecards.yml | 5 +++++ 3 files changed, 29 insertions(+), 6 deletions(-) rename .github/workflows/{CD.yml => cd.yml} (57%) rename .github/workflows/{CI.yml => ci.yml} (72%) diff --git a/.github/workflows/CD.yml b/.github/workflows/cd.yml similarity index 57% rename from .github/workflows/CD.yml rename to .github/workflows/cd.yml index 4ed0b19..38ad2ee 100644 --- a/.github/workflows/CD.yml +++ b/.github/workflows/cd.yml @@ -5,6 +5,9 @@ on: types: [published] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: publish: name: Publish Release to HEX PM @@ -16,12 +19,17 @@ jobs: env: HEX_API_KEY: ${{ secrets.HEX_API_KEY }} steps: - - uses: actions/checkout@v3 - - uses: erlef/setup-elixir@v1 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + - uses: erlef/setup-elixir@b980a5ac9b7316a23ebc16de2bb69b7c3ad731b5 # v1.15.0 with: otp-version: ${{ matrix.otp }} elixir-version: ${{ matrix.elixir }} - - uses: actions/cache@v3 + - uses: actions/cache@c1a5de879eb890d062a85ee0252d6036480b1fe2 # v3.2.1 with: path: deps key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }} diff --git a/.github/workflows/CI.yml b/.github/workflows/ci.yml similarity index 72% rename from .github/workflows/CI.yml rename to .github/workflows/ci.yml index 765ff86..4fa7aae 100644 --- a/.github/workflows/CI.yml +++ b/.github/workflows/ci.yml @@ -18,12 +18,17 @@ jobs: env: MIX_ENV: test steps: - - uses: actions/checkout@v3 - - uses: erlef/setup-elixir@v1 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + - uses: erlef/setup-elixir@b980a5ac9b7316a23ebc16de2bb69b7c3ad731b5 # v1.15.0 with: otp-version: ${{ matrix.otp }} elixir-version: ${{ matrix.elixir }} - - uses: actions/cache@v3 + - uses: actions/cache@c1a5de879eb890d062a85ee0252d6036480b1fe2 # v3.2.1 with: path: deps key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }} @@ -48,6 +53,11 @@ jobs: needs: tests runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Set BUILD_NUMBER for Pull Request event if: github.event_name == 'pull_request' run: echo "BUILD_NUMBER=${{ github.event.pull_request.head.sha }}-PR-${{ github.event.pull_request.number }}" >> $GITHUB_ENV diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index bdd1d44..4746e8c 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -21,6 +21,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0 with: