From 6d7a3e72a1d59152f2102e59b8308022fc4cbee7 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 23 Jan 2024 18:26:09 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 25 ++++++ .github/workflows/auto-update.yml | 7 +- .github/workflows/cflite_batch.yaml | 5 ++ .github/workflows/cflite_build.yaml | 7 +- .github/workflows/cflite_prune.yaml | 16 +++- .github/workflows/check-coverage.yml | 20 +++-- .github/workflows/check-generated.yml | 12 ++- .github/workflows/check-shell.yml | 12 ++- .github/workflows/check-tests.yml | 12 ++- .github/workflows/codeql-analysis.yml | 16 +++- .github/workflows/commit-lint.yaml | 12 ++- .github/workflows/dependency-review.yml | 27 +++++++ .github/workflows/generate-kubelet-flags.yaml | 9 ++- .github/workflows/golangci-lint-pr.yml | 11 ++- .github/workflows/golangci-lint.yml | 11 ++- .github/workflows/scorecards.yml | 76 +++++++++++++++++++ .github/workflows/validate-components.yml | 12 ++- .github/workflows/validate-image-version.yml | 10 ++- .../validate-windows-binary-signature.yaml | 17 ++++- .github/workflows/validate-windows-ut.yml | 10 ++- .pre-commit-config.yaml | 26 +++++++ 21 files changed, 317 insertions(+), 36 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 65feee4c73c..136beeeb07a 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,3 +15,28 @@ updates: time: "01:00" labels: - "cleanup" + + - package-ecosystem: gomod + directory: /e2e + schedule: + interval: daily + + - package-ecosystem: gomod + directory: /hack/tools + schedule: + interval: daily + + - package-ecosystem: pip + directory: /vhdbuilder/packer/test/pam + schedule: + interval: daily + + - package-ecosystem: gomod + directory: /vhdbuilder/prefetch + schedule: + interval: daily + + - package-ecosystem: gomod + directory: /vhdbuilder/release-notes/autonotes + schedule: + interval: daily diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml index 63d8d67365f..9a7227aab7c 100644 --- a/.github/workflows/auto-update.yml +++ b/.github/workflows/auto-update.yml @@ -11,6 +11,11 @@ jobs: name: Auto-update runs-on: ubuntu-latest steps: - - uses: tibdex/auto-update@v2 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: tibdex/auto-update@4081c5bdc34560b58288a010318054e63e6f4a51 # v2.2.1 with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cflite_batch.yaml b/.github/workflows/cflite_batch.yaml index 0916b22669b..6183c28321e 100644 --- a/.github/workflows/cflite_batch.yaml +++ b/.github/workflows/cflite_batch.yaml @@ -18,6 +18,11 @@ jobs: matrix: sanitizer: [address, undefined] # Override this with the sanitizers you want. steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Build Fuzzers (${{ matrix.sanitizer }}) id: build uses: google/clusterfuzzlite/actions/build_fuzzers@cc641d4b14fedd42be7c34f57580f80eee020e36 diff --git a/.github/workflows/cflite_build.yaml b/.github/workflows/cflite_build.yaml index ced15db7e5e..d8fd8d6e6d0 100644 --- a/.github/workflows/cflite_build.yaml +++ b/.github/workflows/cflite_build.yaml @@ -16,9 +16,14 @@ jobs: matrix: sanitizer: [address, undefined] # Override this with the sanitizers you want. steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Build Fuzzers (${{ matrix.sanitizer }}) id: build - uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: language: go # Change this to the language you are fuzzing. sanitizer: ${{ matrix.sanitizer }} diff --git a/.github/workflows/cflite_prune.yaml b/.github/workflows/cflite_prune.yaml index 4c20bb068ff..fd4e9228483 100644 --- a/.github/workflows/cflite_prune.yaml +++ b/.github/workflows/cflite_prune.yaml @@ -13,9 +13,14 @@ jobs: Pruning: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Build Fuzzers id: build - uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: language: go # Change this to the language you are fuzzing storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/alexeldeib/agentbaker-corpus.git @@ -23,7 +28,7 @@ jobs: storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages". - name: Run Fuzzers id: run - uses: google/clusterfuzzlite/actions/run_fuzzers@v1 + uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} fuzz-seconds: 600 @@ -36,9 +41,14 @@ jobs: Coverage: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Build Fuzzers id: build - uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: language: go # Change this to the language you are fuzzing. sanitizer: 'coverage' diff --git a/.github/workflows/check-coverage.yml b/.github/workflows/check-coverage.yml index 7498434b51b..5e1b7d12b0d 100644 --- a/.github/workflows/check-coverage.yml +++ b/.github/workflows/check-coverage.yml @@ -20,22 +20,27 @@ jobs: unit_tests: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Install Go if: success() - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.20.2 - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run unit tests run: go test `go list ./... | grep -v e2e` -coverprofile coverage_raw.out -covermode count - name: Remove mocks.go lines run: | sed '/mocks.go/d' coverage_raw.out > coverage.out - name: Convert coverage to lcov - uses: jandelgado/gcov2lcov-action@v1 + uses: jandelgado/gcov2lcov-action@c680c0f7c7442485f1749eb2a13e54a686e76eb5 # v1.0.9 - name: Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3 with: parallel: true flag-name: run-1 @@ -45,8 +50,13 @@ jobs: if: ${{ success() }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Coveralls Finished - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3 with: parallel-finished: true carryforward: "run-1" \ No newline at end of file diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml index 51e716015de..8340ba40266 100644 --- a/.github/workflows/check-generated.yml +++ b/.github/workflows/check-generated.yml @@ -1,12 +1,20 @@ name: check-generated on: pull_request +permissions: + contents: read + jobs: check-generated: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '^1.16' - run: | diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml index 56141a28a0f..b4dec3e6e94 100644 --- a/.github/workflows/check-shell.yml +++ b/.github/workflows/check-shell.yml @@ -1,12 +1,20 @@ name: check-shell on: pull_request +permissions: + contents: read + jobs: check-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '^1.16' - run: | diff --git a/.github/workflows/check-tests.yml b/.github/workflows/check-tests.yml index 374c0ae8555..3bcad5515c3 100644 --- a/.github/workflows/check-tests.yml +++ b/.github/workflows/check-tests.yml @@ -1,12 +1,20 @@ name: check-tests on: pull_request +permissions: + contents: read + jobs: check-tests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '^1.16' - run: | diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2730e760211..344ab35d1f8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -26,6 +26,9 @@ on: schedule: - cron: '27 3 * * 6' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -43,12 +46,17 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -62,7 +70,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -75,4 +83,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 diff --git a/.github/workflows/commit-lint.yaml b/.github/workflows/commit-lint.yaml index 7d0a3ada967..7aec715ebb1 100644 --- a/.github/workflows/commit-lint.yaml +++ b/.github/workflows/commit-lint.yaml @@ -6,14 +6,22 @@ on: - master - 'official/*' +permissions: + contents: read + jobs: commit-message-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: 18 - name: Install commitlint diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..fd27e55b6e2 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/generate-kubelet-flags.yaml b/.github/workflows/generate-kubelet-flags.yaml index 2f3c221da00..2dac8b1ba09 100644 --- a/.github/workflows/generate-kubelet-flags.yaml +++ b/.github/workflows/generate-kubelet-flags.yaml @@ -6,9 +6,14 @@ jobs: generate-kubelet-flags: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Set up containerd - uses: crazy-max/ghaction-setup-containerd@v2 - - uses: actions/checkout@v4 + uses: crazy-max/ghaction-setup-containerd@38de4052f2b7ab6094213e121851df6dbdfc6e56 # v2.2.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up branch for kubelet flag changes run: | TIMESTAMP=$(date -d "${{ github.event.head_commit.timestamp }}" +'%Y-%m-%d-%H-%M-%S') diff --git a/.github/workflows/golangci-lint-pr.yml b/.github/workflows/golangci-lint-pr.yml index 3822b8c60b2..00dbb42ca69 100644 --- a/.github/workflows/golangci-lint-pr.yml +++ b/.github/workflows/golangci-lint-pr.yml @@ -15,12 +15,17 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.19' - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version version: v1.51.2 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 11db84d636a..7967a0f33bd 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -15,12 +15,17 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.19' - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version version: v1.51.2 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000000..edc0ece01e3 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/validate-components.yml b/.github/workflows/validate-components.yml index 3113b56193b..f7b40f26828 100644 --- a/.github/workflows/validate-components.yml +++ b/.github/workflows/validate-components.yml @@ -5,13 +5,21 @@ on: - master workflow_dispatch: {} +permissions: + contents: read + jobs: build-and-deploy: runs-on: ubuntu-latest environment: test steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: '1.21.4' - name: 'install cue' diff --git a/.github/workflows/validate-image-version.yml b/.github/workflows/validate-image-version.yml index 1b7459b74c5..e7f80c357c9 100644 --- a/.github/workflows/validate-image-version.yml +++ b/.github/workflows/validate-image-version.yml @@ -1,11 +1,19 @@ name: validate-image-version on: pull_request +permissions: + contents: read + jobs: validate-image-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | make validate-image-version name: Verify image versions to be pulled diff --git a/.github/workflows/validate-windows-binary-signature.yaml b/.github/workflows/validate-windows-binary-signature.yaml index 0449e26baa3..8bb01eaa746 100644 --- a/.github/workflows/validate-windows-binary-signature.yaml +++ b/.github/workflows/validate-windows-binary-signature.yaml @@ -6,13 +6,21 @@ on: - 'vhdbuilder/packer/test/windows-files-check.ps1' - 'vhdbuilder/packer/generate-windows-vhd-configuration.ps1' +permissions: + contents: read + jobs: check-files-for-ws2019: name: Check Windows Files and Images runs-on: windows-2019 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Geneate windows vhd configuration shell: powershell run: | @@ -25,8 +33,13 @@ jobs: name: Check Windows Files and Images runs-on: windows-2022 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Geneate windows vhd configuration shell: powershell run: | diff --git a/.github/workflows/validate-windows-ut.yml b/.github/workflows/validate-windows-ut.yml index 57008a23f21..cc28efd216c 100644 --- a/.github/workflows/validate-windows-ut.yml +++ b/.github/workflows/validate-windows-ut.yml @@ -1,13 +1,21 @@ name: Windows Powershell Unit Test on: pull_request +permissions: + contents: read + jobs: pester-test: name: Pester test runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Perform a Pester test from the parts/windows/*.tests.ps1 file shell: powershell run: | diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000000..e14e2a5d4b7 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,26 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint