From bc3180f0fa2609fc38d1a48e0cbef1ffa1edce25 Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Wed, 4 Sep 2024 10:55:40 +0300 Subject: [PATCH 1/2] Harden workflows --- .github/codeql-config.yml | 10 --- .github/workflows/audit-signatures.yml | 47 ++++++++++++++ .github/workflows/build.yml | 16 ++++- .../{codeql.yml => codeql-analysis.yml} | 20 +++++- .github/workflows/lint.yml | 64 +++++++++++++++++++ .github/workflows/package-audit.yml | 46 +------------ .../{npm-publish.yml => publish.yml} | 29 +++++++++ .github/workflows/push-tag.yml | 25 +++++++- .github/workflows/sonarscan.yml | 31 +++++++-- 9 files changed, 224 insertions(+), 64 deletions(-) delete mode 100644 .github/codeql-config.yml create mode 100644 .github/workflows/audit-signatures.yml rename .github/workflows/{codeql.yml => codeql-analysis.yml} (60%) create mode 100644 .github/workflows/lint.yml rename .github/workflows/{npm-publish.yml => publish.yml} (61%) diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml deleted file mode 100644 index 43b9c7b..0000000 --- a/.github/codeql-config.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: CodeQL Config - -paths: - - src - -paths-ignore: - - node_modules - -queries: - - uses: security-and-quality diff --git a/.github/workflows/audit-signatures.yml b/.github/workflows/audit-signatures.yml new file mode 100644 index 0000000..606f322 --- /dev/null +++ b/.github/workflows/audit-signatures.yml @@ -0,0 +1,47 @@ +name: Audit Signatures + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit: + name: Verify Signatures and Provenance Statements + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup Node.js environment + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: lts/* + + - name: Install latest npm + run: npm install -g npm@latest + + - name: Install dependencies + run: npm ci + + - name: Run audit + run: npm audit signatures diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8dfbbcc..1941d52 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,7 +4,8 @@ name: Build and Test on: push: branches: - - "**" + - master + pull_request: workflow_dispatch: permissions: @@ -14,7 +15,6 @@ jobs: build: name: Build and test (Node ${{ matrix.node.name }}) runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} strategy: matrix: node: @@ -22,6 +22,18 @@ jobs: - { name: LTS, version: lts/* } - { name: Previous LTS, version: lts/-1 } steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql-analysis.yml similarity index 60% rename from .github/workflows/codeql.yml rename to .github/workflows/codeql-analysis.yml index b52837c..22ad385 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,4 +1,4 @@ -name: CodeQL +name: CodeQL Analysis on: push: @@ -8,7 +8,8 @@ on: branches: - master schedule: - - cron: "49 7 * * 3" + - cron: '49 7 * * 3' + workflow_dispatch: permissions: contents: read @@ -27,6 +28,17 @@ jobs: contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -34,7 +46,9 @@ jobs: uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} - config-file: ./.github/codeql-config.yml + queries: +security-and-quality - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..067cc67 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,64 @@ +name: Linting + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + +jobs: + lint: + name: ESLint Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run code style check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: lint + + typecheck: + name: TypeScript Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run type check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: typecheck diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 7a8b9e1..50ce012 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -25,51 +25,9 @@ jobs: allowed-endpoints: api.github.com:443 github.com:443 - npm.pkg.github.com:443 - pkg-npm.githubusercontent.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 registry.npmjs.org:443 - name: Audit with NPM uses: myrotvorets/composite-actions/node-package-audit@master - - provenance: - name: Verify signatures and provenance statements - runs-on: ubuntu-latest - permissions: - contents: read - packages: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-sudo: true - allowed-endpoints: - api.github.com:443 - github.com:443 - npm.pkg.github.com:443 - pkg-npm.githubusercontent.com:443 - registry.npmjs.org:443 - tuf-repo-cdn.sigstore.dev:443 - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Setup Node.js environment - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: lts/* - registry-url: https://npm.pkg.github.com - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Update npm - run: npm i -g npm - - - name: Run audit - run: npm audit signatures - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/publish.yml similarity index 61% rename from .github/workflows/npm-publish.yml rename to .github/workflows/publish.yml index 2ae21d4..370cda8 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/publish.yml @@ -22,8 +22,22 @@ jobs: prepare: name: Prepare source code runs-on: ubuntu-latest + permissions: + contents: read if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Prepare source uses: myrotvorets/composite-actions/node-prepublish@master @@ -49,6 +63,21 @@ jobs: secret: GITHUB_TOKEN registry_url: https://npm.pkg.github.com/ steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + fulcio.sigstore.dev:443 + registry.npmjs.org:443 + rekor.sigstore.dev:443 + npm.pkg.github.com:443 + - name: Publish package uses: myrotvorets/composite-actions/node-publish@master with: diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index f81a5f9..d8700a9 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -3,7 +3,7 @@ name: Pre-release Testing on: push: tags: - - "v**" + - "**" permissions: contents: read @@ -12,7 +12,21 @@ jobs: build: name: Build and test runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master @@ -23,6 +37,15 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index fb42440..2aa6eca 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -12,17 +12,40 @@ on: permissions: contents: read -env: - SONARSCANNER: "true" - jobs: build: name: SonarCloud Scan runs-on: ubuntu-latest + permissions: + contents: read if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + objects.githubusercontent.com:443 + pipelinesghubeus23.actions.githubusercontent.com:443 + pkg-npm.githubusercontent.com:443 + registry.npmjs.org:443 + api.sonarcloud.io:443 + analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + + - name: Check out the source code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + - name: Run SonarCloud analysis uses: myrotvorets/composite-actions/node-sonarscan@master with: sonar-token: ${{ secrets.SONAR_TOKEN }} - test-script: "test:coverage" + test-script: 'test:coverage' From a6c7f38adb89e95f1a14cf11ad6d4ea269095231 Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Wed, 4 Sep 2024 10:58:41 +0300 Subject: [PATCH 2/2] Pin actions --- .github/workflows/build.yml | 2 +- .github/workflows/lint.yml | 4 ++-- .github/workflows/package-audit.yml | 2 +- .github/workflows/publish.yml | 4 ++-- .github/workflows/push-tag.yml | 2 +- .github/workflows/sonarscan.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1941d52..dcbc3a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -35,6 +35,6 @@ jobs: registry.npmjs.org:443 - name: Build and test - uses: myrotvorets/composite-actions/build-test-nodejs@master + uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208 with: node-version: ${{ matrix.node.version }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 067cc67..10a1730 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -36,7 +36,7 @@ jobs: registry.npmjs.org:443 - name: Run code style check - uses: myrotvorets/composite-actions/node-run-script@master + uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208 with: script: lint @@ -59,6 +59,6 @@ jobs: registry.npmjs.org:443 - name: Run type check - uses: myrotvorets/composite-actions/node-run-script@master + uses: myrotvorets/composite-actions/node-run-script@931ae3fec4810f7d263d28f6cf12159080b76208 with: script: typecheck diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 50ce012..2576ef7 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -30,4 +30,4 @@ jobs: registry.npmjs.org:443 - name: Audit with NPM - uses: myrotvorets/composite-actions/node-package-audit@master + uses: myrotvorets/composite-actions/node-package-audit@931ae3fec4810f7d263d28f6cf12159080b76208 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 370cda8..774aadb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -39,7 +39,7 @@ jobs: registry.npmjs.org:443 - name: Prepare source - uses: myrotvorets/composite-actions/node-prepublish@master + uses: myrotvorets/composite-actions/node-prepublish@931ae3fec4810f7d263d28f6cf12159080b76208 publish: name: Publish package (${{ matrix.registry }}) @@ -79,7 +79,7 @@ jobs: npm.pkg.github.com:443 - name: Publish package - uses: myrotvorets/composite-actions/node-publish@master + uses: myrotvorets/composite-actions/node-publish@931ae3fec4810f7d263d28f6cf12159080b76208 with: node-auth-token: ${{ secrets[matrix.secret] }} registry-url: ${{ matrix.registry_url }} diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index d8700a9..bada631 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -28,7 +28,7 @@ jobs: registry.npmjs.org:443 - name: Build and test - uses: myrotvorets/composite-actions/build-test-nodejs@master + uses: myrotvorets/composite-actions/build-test-nodejs@931ae3fec4810f7d263d28f6cf12159080b76208 release: name: Prepare the release diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index 2aa6eca..f7872aa 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -45,7 +45,7 @@ jobs: fetch-depth: 0 - name: Run SonarCloud analysis - uses: myrotvorets/composite-actions/node-sonarscan@master + uses: myrotvorets/composite-actions/node-sonarscan@931ae3fec4810f7d263d28f6cf12159080b76208 with: sonar-token: ${{ secrets.SONAR_TOKEN }} test-script: 'test:coverage'