Harden CI #385
Harden CI #385
Conversation
bschimke95
force-pushed
the
KU-629/harden-CI
branch
from
129fbe2 to
d68a6e9
Compare
|
I think the integration tests fail because of the limited permissions you give in the GH workflow (the tests pass locally). Try to give more permissions to the |
|
Looks like there is a limitation of the step-security Harden Runner: Harden-Runner is not supported when job is run in a container as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. See here |
|
Another note: the step-security Harden Runner only works for ubuntu. If we have tests on other OS we will run into trouble. |
.github/workflows/scorecard.yaml
Outdated
| - name: Harden Runner | ||
| uses: step-security/harden-runner@v2 | ||
| with: | ||
| egress-policy: audit | ||
| - name: "Checkout code" | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
There was a problem hiding this comment.
We use checkout@v4 (tag pinning) elsewhere, we should do the same here.
There was a problem hiding this comment.
I can do that, just have to silence it too 👍🏼
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@v2 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| @@ -14,6 +20,10 @@ | |||
| - { branch: main } | |||
|
|
|||
| steps: | |||
| - name: Harden Runner | |||
| uses: step-security/harden-runner@v2 | |||
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| @@ -77,6 +90,10 @@ | |||
| # Add branches to test here | |||
|
|
|||
| steps: | |||
| - name: Harden Runner | |||
| uses: step-security/harden-runner@v2 | |||
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| name: Unit Tests & Code Quality | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@v2 | ||
| with: |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| @@ -86,6 +96,10 @@ | |||
| runs-on: ubuntu-latest | |||
|
|
|||
| steps: | |||
| - name: Harden Runner | |||
| uses: step-security/harden-runner@v2 | |||
| with: | |||
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| - name: "Checkout code" | ||
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| uses: actions/[email protected] |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 | ||
| uses: ossf/[email protected] |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 | ||
| uses: actions/upload-artifact@v3 |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 | ||
| uses: github/codeql-action/[email protected] |
Check warning
Code scanning / Scorecard
Pinned-Dependencies
| @@ -28,6 +31,8 @@ | |||
| echo "strict=" >> $GITHUB_OUTPUT | |||
| fi | |||
| update: | |||
| permissions: | |||
| contents: write # for Git to git push | |||
Check failure
Code scanning / Scorecard
Token-Permissions
|
Description
This PR hardens CI by:
Note: I've also verified our chron-jobs work with my adjustemnts in this commit.