[PAN-2035] CI hardening (#42)

* feature: update CI versions

* fix: change origin repo

* feature: pin SHA commits from third-parties

* fix: add anaconda to whitelist

* fix: do not remove sudo

.github/workflows/build.yml

@@ -30,15 +30,27 @@ jobs:
     # TODO: Change ubuntu-20.04 for the ARM public runner
     runs-on: ${{ inputs.architecture == 'amd64' && 'ubuntu-latest' || 'ubuntu-20.04' }}
     environment: ${{ inputs.environment }}
+    permissions: 
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         python-version: ["3.10"]
     steps:
-      - uses: step-security/harden-runner@v2
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
-          disable-sudo: false
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            azure.archive.ubuntu.com:80
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            motd.ubuntu.com:443
+            packages.microsoft.com:443
+            pypi.org:443
+            repo.anaconda.com:443
+            
       - uses: actions/checkout@v4
 
       - name: Set up Poetry
@@ -58,7 +70,7 @@ jobs:
       - name: Import GPG key
         if: steps.is-signed-build.outputs.HAS_SECRETS == 'true'
         id: import-gpg
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}

.github/workflows/ci.yaml

@@ -6,26 +6,46 @@ on:
       - main
   pull_request:
 
+
 jobs:
   shared:
     uses: pantos-io/ci-workflows/.github/workflows/python-ci.yml@v1
     secrets: inherit  
-
   docker-build:
     name: Build Docker images
     runs-on: ubuntu-latest
+    permissions: 
+      contents: read
     steps:
-      - uses: step-security/harden-runner@v2
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
-          disable-sudo: false
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            auth.docker.io:443
+            azure.archive.ubuntu.com:80
+            deb.debian.org:80
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            ghcr.io:443
+            github.com:443
+            index.docker.io:443
+            motd.ubuntu.com:443
+            packages.microsoft.com:443
+            pkg-containers.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            pypi.org:443
+            registry-1.docker.io:443
+            repo.anaconda.com:443
+        
       - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
         id: buildx
 
       - name: Cache Docker layers

.github/workflows/docker-vulnerabilities.yaml

@@ -8,20 +8,38 @@ jobs:
     docker-analysis:
         name: Trivy analysis for Docker image
         runs-on: ubuntu-latest
-
+        permissions: 
+          contents: read
         steps:
-            - uses: step-security/harden-runner@v2
+            - name: Harden Runner
+              uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
               with:
-               disable-sudo: false
-               egress-policy: audit
+                egress-policy: block
+                allowed-endpoints: >
+                  api.github.com:443
+                  auth.docker.io:443
+                  azure.archive.ubuntu.com:80
+                  deb.debian.org:80
+                  esm.ubuntu.com:443
+                  files.pythonhosted.org:443
+                  ghcr.io:443
+                  github.com:443
+                  index.docker.io:443
+                  motd.ubuntu.com:443
+                  packages.microsoft.com:443
+                  pkg-containers.githubusercontent.com:443
+                  production.cloudflare.docker.com:443
+                  pypi.org:443
+                  registry-1.docker.io:443
+                  repo.anaconda.com:443
             
             - uses: actions/checkout@v4
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+              uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+              uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
               id: buildx
 
             - name: Cache Docker layers
@@ -46,7 +64,7 @@ jobs:
                 DOCKER_TAG: analysis-latest
 
             - name: Scan vulnerabilities app image
-              uses: aquasecurity/trivy-action@0.20.0
+              uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
               with:           
                 image-ref: 'pantosio/service-node-app:analysis-latest'
                 format: 'sarif'
@@ -61,7 +79,7 @@ jobs:
                 sarif_file: 'trivy-app-results.sarif'
 
             - name: Scan vulnerabilities worker image
-              uses: aquasecurity/trivy-action@0.20.0
+              uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
               with:           
                 image-ref: 'pantosio/service-node-worker:analysis-latest'
                 format: 'sarif'

.github/workflows/release.yaml

@@ -21,7 +21,7 @@ jobs:
       deployment_pypi_environment: ${{ steps.get-environment.outputs.deployment_pypi_environment }}
       deployment_url: ${{ steps.get-environment.outputs.deployment_url }}
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -60,17 +60,17 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: audit
       - uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
         id: buildx
 
       - name: Cache Docker layers
@@ -82,7 +82,7 @@ jobs:
             ${{ runner.os }}-buildx-v1.0-service-node-
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -119,7 +119,7 @@ jobs:
         run: |
           echo "deployment_dockerhub_url=https://hub.docker.com/r/pantosio/service-node/tags?name=${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}" >> $GITHUB_OUTPUT
 
-      - uses: sigstore/cosign-installer@main
+      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Sign the images
         run: |
@@ -157,7 +157,7 @@ jobs:
       contents: write
       id-token: write
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -169,7 +169,7 @@ jobs:
 
       # We need to upload some artifacts, any, so that the download action works
       - name: Upload release assets
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0
         with:
           file: "./dist/*.deb"
           file_glob: true
@@ -178,7 +178,7 @@ jobs:
           tag: ${{ github.event.release.tag_name }}
 
       # We need to upload some artifacts, any, so that the download action works
-      - uses: robinraju/release-downloader@v1.9
+      - uses: robinraju/release-downloader@vc39a3b234af58f0cf85888573d361fb6fa281534 # v1.10
         with:
           tag: ${{ github.event.release.tag_name }}
           tarBall: true
@@ -194,7 +194,7 @@ jobs:
           # Do not sign deb artifacts
           rm release/*.deb
 
-      - uses: sigstore/[email protected]
+      - uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1
         with:
           inputs: release/*
 
@@ -209,7 +209,7 @@ jobs:
           ls -lha release
 
       - name: Upload release assets
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0
         with:
           file: "./release/*"
           file_glob: true
@@ -227,7 +227,7 @@ jobs:
     permissions:
       id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -244,7 +244,7 @@ jobs:
           ls -lha dist
 
       - name: Publish package distributions to ${{ needs.define-environment.outputs.deployment_pypi_environment }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # stable/v1.9.0
         with:
           repository-url: ${{ needs.define-environment.outputs.deployment_pypi_environment == 'test-pypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }}
 
@@ -260,7 +260,7 @@ jobs:
     # Disable the job for the moment being
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: audit
@@ -304,7 +304,7 @@ jobs:
         working-directory: release
 
       - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
@@ -331,7 +331,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Publish to GH Pages
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: release