From ca24867cf11f4c8a2145b967d151f6f48f99ae5f Mon Sep 17 00:00:00 2001 From: "Juan M. Tirado" Date: Fri, 28 Jun 2024 09:23:52 +0200 Subject: [PATCH] [PAN-2035] CI hardening (#42) * feature: update CI versions * fix: change origin repo * feature: pin SHA commits from third-parties * fix: add anaconda to whitelist * fix: do not remove sudo --- .github/workflows/build.yml | 20 ++++++++--- .github/workflows/ci.yaml | 32 +++++++++++++---- .github/workflows/docker-vulnerabilities.yaml | 34 ++++++++++++++----- .github/workflows/release.yaml | 32 ++++++++--------- poetry.lock | 6 ++-- 5 files changed, 87 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2fcaac9..ba233c2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,15 +30,27 @@ jobs: # TODO: Change ubuntu-20.04 for the ARM public runner runs-on: ${{ inputs.architecture == 'amd64' && 'ubuntu-latest' || 'ubuntu-20.04' }} environment: ${{ inputs.environment }} + permissions: + contents: read strategy: fail-fast: false matrix: python-version: ["3.10"] steps: - - uses: step-security/harden-runner@v2 + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - disable-sudo: false - egress-policy: audit + egress-policy: block + allowed-endpoints: > + azure.archive.ubuntu.com:80 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + github.com:443 + motd.ubuntu.com:443 + packages.microsoft.com:443 + pypi.org:443 + repo.anaconda.com:443 + - uses: actions/checkout@v4 - name: Set up Poetry @@ -58,7 +70,7 @@ jobs: - name: Import GPG key if: steps.is-signed-build.outputs.HAS_SECRETS == 'true' id: import-gpg - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8ae7aa0..fb9ca9f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -6,26 +6,46 @@ on: - main pull_request: + jobs: shared: uses: pantos-io/ci-workflows/.github/workflows/python-ci.yml@v1 secrets: inherit - docker-build: name: Build Docker images runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: step-security/harden-runner@v2 + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - disable-sudo: false - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + azure.archive.ubuntu.com:80 + deb.debian.org:80 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + ghcr.io:443 + github.com:443 + index.docker.io:443 + motd.ubuntu.com:443 + packages.microsoft.com:443 + pkg-containers.githubusercontent.com:443 + production.cloudflare.docker.com:443 + pypi.org:443 + registry-1.docker.io:443 + repo.anaconda.com:443 + - uses: actions/checkout@v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 id: buildx - name: Cache Docker layers diff --git a/.github/workflows/docker-vulnerabilities.yaml b/.github/workflows/docker-vulnerabilities.yaml index f270087..19cb686 100644 --- a/.github/workflows/docker-vulnerabilities.yaml +++ b/.github/workflows/docker-vulnerabilities.yaml @@ -8,20 +8,38 @@ jobs: docker-analysis: name: Trivy analysis for Docker image runs-on: ubuntu-latest - + permissions: + contents: read steps: - - uses: step-security/harden-runner@v2 + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - disable-sudo: false - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + azure.archive.ubuntu.com:80 + deb.debian.org:80 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + ghcr.io:443 + github.com:443 + index.docker.io:443 + motd.ubuntu.com:443 + packages.microsoft.com:443 + pkg-containers.githubusercontent.com:443 + production.cloudflare.docker.com:443 + pypi.org:443 + registry-1.docker.io:443 + repo.anaconda.com:443 - uses: actions/checkout@v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 id: buildx - name: Cache Docker layers @@ -46,7 +64,7 @@ jobs: DOCKER_TAG: analysis-latest - name: Scan vulnerabilities app image - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 with: image-ref: 'pantosio/service-node-app:analysis-latest' format: 'sarif' @@ -61,7 +79,7 @@ jobs: sarif_file: 'trivy-app-results.sarif' - name: Scan vulnerabilities worker image - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 with: image-ref: 'pantosio/service-node-worker:analysis-latest' format: 'sarif' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1446f5e..65e74fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,7 +21,7 @@ jobs: deployment_pypi_environment: ${{ steps.get-environment.outputs.deployment_pypi_environment }} deployment_url: ${{ steps.get-environment.outputs.deployment_url }} steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: audit @@ -60,17 +60,17 @@ jobs: permissions: id-token: write steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: audit - uses: actions/checkout@v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 id: buildx - name: Cache Docker layers @@ -82,7 +82,7 @@ jobs: ${{ runner.os }}-buildx-v1.0-service-node- - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -119,7 +119,7 @@ jobs: run: | echo "deployment_dockerhub_url=https://hub.docker.com/r/pantosio/service-node/tags?name=${{ github.event.release.tag_name }}${{ needs.define-environment.outputs.deployment_environment }}" >> $GITHUB_OUTPUT - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Sign the images run: | @@ -157,7 +157,7 @@ jobs: contents: write id-token: write steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: audit @@ -169,7 +169,7 @@ jobs: # We need to upload some artifacts, any, so that the download action works - name: Upload release assets - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0 with: file: "./dist/*.deb" file_glob: true @@ -178,7 +178,7 @@ jobs: tag: ${{ github.event.release.tag_name }} # We need to upload some artifacts, any, so that the download action works - - uses: robinraju/release-downloader@v1.9 + - uses: robinraju/release-downloader@vc39a3b234af58f0cf85888573d361fb6fa281534 # v1.10 with: tag: ${{ github.event.release.tag_name }} tarBall: true @@ -194,7 +194,7 @@ jobs: # Do not sign deb artifacts rm release/*.deb - - uses: sigstore/gh-action-sigstore-python@v2.1.1 + - uses: sigstore/gh-action-sigstore-python@61f6a500bbfdd9a2a339cf033e5421951fbc1cd2 # v2.1.1 with: inputs: release/* @@ -209,7 +209,7 @@ jobs: ls -lha release - name: Upload release assets - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0 with: file: "./release/*" file_glob: true @@ -227,7 +227,7 @@ jobs: permissions: id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: audit @@ -244,7 +244,7 @@ jobs: ls -lha dist - name: Publish package distributions to ${{ needs.define-environment.outputs.deployment_pypi_environment }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ec4db0b4ddc65acdf4bff5fa45ac92d78b56bdf0 # stable/v1.9.0 with: repository-url: ${{ needs.define-environment.outputs.deployment_pypi_environment == 'test-pypi' && 'https://test.pypi.org/legacy/' || 'https://upload.pypi.org/legacy/' }} @@ -260,7 +260,7 @@ jobs: # Disable the job for the moment being runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: disable-sudo: true egress-policy: audit @@ -304,7 +304,7 @@ jobs: working-directory: release - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} @@ -331,7 +331,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Publish to GH Pages - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: release diff --git a/poetry.lock b/poetry.lock index 104de4f..c08e3bd 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1462,13 +1462,13 @@ files = [ [[package]] name = "importlib-metadata" -version = "7.2.1" +version = "8.0.0" description = "Read metadata from Python packages" optional = false python-versions = ">=3.8" files = [ - {file = "importlib_metadata-7.2.1-py3-none-any.whl", hash = "sha256:ffef94b0b66046dd8ea2d619b701fe978d9264d38f3998bc4c27ec3b146a87c8"}, - {file = "importlib_metadata-7.2.1.tar.gz", hash = "sha256:509ecb2ab77071db5137c655e24ceb3eee66e7bbc6574165d0d114d9fc4bbe68"}, + {file = "importlib_metadata-8.0.0-py3-none-any.whl", hash = "sha256:15584cf2b1bf449d98ff8a6ff1abef57bf20f3ac6454f431736cd3e660921b2f"}, + {file = "importlib_metadata-8.0.0.tar.gz", hash = "sha256:188bd24e4c346d3f0a933f275c2fec67050326a856b9a359881d7c2a697e8812"}, ] [package.dependencies]