From 37a961870f02bebaf4dd917a6aa3d1abedac795e Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 14:24:59 +0200 Subject: [PATCH 01/18] gh token permissions --- .github/workflows/cla.yaml | 5 +++++ .github/workflows/cron-jobs.yaml | 6 ++++++ .github/workflows/go.yaml | 6 ++++++ .github/workflows/integration.yaml | 6 ++++++ .github/workflows/nightly-test.yaml | 3 +++ .github/workflows/python.yaml | 3 +++ .github/workflows/sbom.yaml | 3 +++ .github/workflows/strict-integration.yaml | 3 +++ .github/workflows/strict.yaml | 5 ++++- 9 files changed, 39 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index 32e75485b..cce7fa7d3 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -6,8 +6,13 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: cla-check: + permissions: + pull-requests: write # for canonical/has-signed-canonical-cla to create & update comments runs-on: ubuntu-latest steps: - name: Check if CLA signed diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index dd7aeb442..f88ac4336 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 10 * * *' +permissions: + contents: read + jobs: TICS: runs-on: ubuntu-latest @@ -67,6 +70,9 @@ jobs: path: tics-logs.tar.gz Trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index fda4bd682..41a9e2732 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -10,8 +10,14 @@ on: pull_request: +permissions: + contents: read + jobs: test: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment name: Unit Tests & Code Quality runs-on: ubuntu-latest diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 7e7264b06..75c9c8593 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9].[0-9]+' +permissions: + contents: read + jobs: build: name: Build @@ -74,6 +77,9 @@ jobs: cd tests/integration && sg lxd -c 'tox -e integration' security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Security scan runs-on: ubuntu-20.04 needs: build diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index f41dc8906..04184b4d9 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 0 * * *' # Runs every midnight +permissions: + contents: read + jobs: test-integration: name: Integration Test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.releases }} diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml index 22329a7c3..d6a756c4b 100644 --- a/.github/workflows/python.yaml +++ b/.github/workflows/python.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 316f55b32..00d9e3481 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 5985ab93d..90966a7b8 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -10,6 +10,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: prepare: name: Prepare diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml index bbce357c2..144e202e1 100644 --- a/.github/workflows/strict.yaml +++ b/.github/workflows/strict.yaml @@ -5,7 +5,8 @@ on: branches: - main - 'release-[0-9]+.[0-9]+' - +permissions: + contents: read jobs: prepare: name: Prepare @@ -28,6 +29,8 @@ jobs: echo "strict=" >> $GITHUB_OUTPUT fi update: + permissions: + contents: write # for Git to git push runs-on: ubuntu-20.04 needs: [ prepare ] if: ${{ needs.prepare.outputs.strict }} From f37eb16e87cfc2231dcae895789fd42b03706eff Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 15:41:03 +0200 Subject: [PATCH 02/18] add security agent to runner --- .github/workflows/cla.yaml | 4 ++++ .github/workflows/cron-jobs.yaml | 8 ++++++++ .github/workflows/go.yaml | 8 ++++++++ .github/workflows/integration.yaml | 12 ++++++++++++ .github/workflows/nightly-test.yaml | 4 ++++ .github/workflows/python.yaml | 4 ++++ .github/workflows/sbom.yaml | 4 ++++ .github/workflows/scorecard.yaml | 4 ++++ .github/workflows/strict-integration.yaml | 12 ++++++++++++ 9 files changed, 60 insertions(+) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index cce7fa7d3..a3c4515de 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -15,5 +15,9 @@ jobs: pull-requests: write # for canonical/has-signed-canonical-cla to create & update comments runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check if CLA signed uses: canonical/has-signed-canonical-cla@v1 diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index f88ac4336..af23a5e1e 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -17,6 +17,10 @@ jobs: - { branch: main } steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: @@ -83,6 +87,10 @@ jobs: # Add branches to test here steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index 41a9e2732..65a76e064 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -22,6 +22,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 @@ -93,6 +97,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 75c9c8593..d2bcad592 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -50,6 +54,10 @@ jobs: needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python @@ -84,6 +92,10 @@ jobs: runs-on: ubuntu-20.04 needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Fetch snap diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index 04184b4d9..b21deb4cc 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -20,6 +20,10 @@ jobs: runs-on: ${{ matrix.arch == 'arm64' && 'Ubuntu_ARM64_4C_16G_01' || 'ubuntu-20.04' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml index d6a756c4b..77c6d403f 100644 --- a/.github/workflows/python.yaml +++ b/.github/workflows/python.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 00d9e3481..b0a010019 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index f3a8eb6d7..53fcd83f4 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -31,6 +31,10 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 90966a7b8..3fbde9e8a 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -20,6 +20,10 @@ jobs: outputs: strict: ${{ steps.determine.outputs.strict }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Determine Strict branch id: determine env: @@ -40,6 +44,10 @@ jobs: needs: [ prepare ] if: ${{ needs.prepare.outputs.strict }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -75,6 +83,10 @@ jobs: os: ["ubuntu:20.04"] runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python From 178a4b24c38860ce183c97022d94561c8f2871d7 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 15:43:49 +0200 Subject: [PATCH 03/18] fmt --- .github/workflows/strict.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml index 144e202e1..207ab63cd 100644 --- a/.github/workflows/strict.yaml +++ b/.github/workflows/strict.yaml @@ -5,8 +5,10 @@ on: branches: - main - 'release-[0-9]+.[0-9]+' + permissions: contents: read + jobs: prepare: name: Prepare From 8f6472f952c90709e82e855d299f4dff7ae45eef Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 14:24:59 +0200 Subject: [PATCH 04/18] gh token permissions --- .github/workflows/cla.yaml | 5 +++++ .github/workflows/cron-jobs.yaml | 6 ++++++ .github/workflows/go.yaml | 6 ++++++ .github/workflows/integration.yaml | 6 ++++++ .github/workflows/nightly-test.yaml | 3 +++ .github/workflows/python.yaml | 3 +++ .github/workflows/sbom.yaml | 3 +++ .github/workflows/strict-integration.yaml | 3 +++ .github/workflows/strict.yaml | 5 ++++- 9 files changed, 39 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index 32e75485b..cce7fa7d3 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -6,8 +6,13 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: cla-check: + permissions: + pull-requests: write # for canonical/has-signed-canonical-cla to create & update comments runs-on: ubuntu-latest steps: - name: Check if CLA signed diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index dd7aeb442..f88ac4336 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 10 * * *' +permissions: + contents: read + jobs: TICS: runs-on: ubuntu-latest @@ -67,6 +70,9 @@ jobs: path: tics-logs.tar.gz Trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index fda4bd682..41a9e2732 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -10,8 +10,14 @@ on: pull_request: +permissions: + contents: read + jobs: test: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment name: Unit Tests & Code Quality runs-on: ubuntu-latest diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 7e7264b06..75c9c8593 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9].[0-9]+' +permissions: + contents: read + jobs: build: name: Build @@ -74,6 +77,9 @@ jobs: cd tests/integration && sg lxd -c 'tox -e integration' security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Security scan runs-on: ubuntu-20.04 needs: build diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index f41dc8906..04184b4d9 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 0 * * *' # Runs every midnight +permissions: + contents: read + jobs: test-integration: name: Integration Test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.releases }} diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml index 22329a7c3..d6a756c4b 100644 --- a/.github/workflows/python.yaml +++ b/.github/workflows/python.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: lint: name: Lint diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 316f55b32..00d9e3481 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -12,6 +12,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 5985ab93d..90966a7b8 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -10,6 +10,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: prepare: name: Prepare diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml index bbce357c2..144e202e1 100644 --- a/.github/workflows/strict.yaml +++ b/.github/workflows/strict.yaml @@ -5,7 +5,8 @@ on: branches: - main - 'release-[0-9]+.[0-9]+' - +permissions: + contents: read jobs: prepare: name: Prepare @@ -28,6 +29,8 @@ jobs: echo "strict=" >> $GITHUB_OUTPUT fi update: + permissions: + contents: write # for Git to git push runs-on: ubuntu-20.04 needs: [ prepare ] if: ${{ needs.prepare.outputs.strict }} From cb4a9c59d4c0dfd075c7b4565d6de103c9f52a49 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 15:41:03 +0200 Subject: [PATCH 05/18] add security agent to runner --- .github/workflows/cla.yaml | 4 ++++ .github/workflows/cron-jobs.yaml | 8 ++++++++ .github/workflows/go.yaml | 8 ++++++++ .github/workflows/integration.yaml | 12 ++++++++++++ .github/workflows/nightly-test.yaml | 4 ++++ .github/workflows/python.yaml | 4 ++++ .github/workflows/sbom.yaml | 4 ++++ .github/workflows/scorecard.yaml | 4 ++++ .github/workflows/strict-integration.yaml | 12 ++++++++++++ 9 files changed, 60 insertions(+) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index cce7fa7d3..a3c4515de 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -15,5 +15,9 @@ jobs: pull-requests: write # for canonical/has-signed-canonical-cla to create & update comments runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check if CLA signed uses: canonical/has-signed-canonical-cla@v1 diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index f88ac4336..af23a5e1e 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -17,6 +17,10 @@ jobs: - { branch: main } steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: @@ -83,6 +87,10 @@ jobs: # Add branches to test here steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index 41a9e2732..65a76e064 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -22,6 +22,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 @@ -93,6 +97,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 75c9c8593..d2bcad592 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -50,6 +54,10 @@ jobs: needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python @@ -84,6 +92,10 @@ jobs: runs-on: ubuntu-20.04 needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Fetch snap diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index 04184b4d9..b21deb4cc 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -20,6 +20,10 @@ jobs: runs-on: ${{ matrix.arch == 'arm64' && 'Ubuntu_ARM64_4C_16G_01' || 'ubuntu-20.04' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml index d6a756c4b..77c6d403f 100644 --- a/.github/workflows/python.yaml +++ b/.github/workflows/python.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 00d9e3481..b0a010019 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -21,6 +21,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index f3a8eb6d7..53fcd83f4 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -31,6 +31,10 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 90966a7b8..3fbde9e8a 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -20,6 +20,10 @@ jobs: outputs: strict: ${{ steps.determine.outputs.strict }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Determine Strict branch id: determine env: @@ -40,6 +44,10 @@ jobs: needs: [ prepare ] if: ${{ needs.prepare.outputs.strict }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -75,6 +83,10 @@ jobs: os: ["ubuntu:20.04"] runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python From d68a6e9558f4823b92bb79bbae522a2cdf730fd6 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Mon, 29 Apr 2024 15:43:49 +0200 Subject: [PATCH 06/18] fmt --- .github/workflows/strict.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml index 144e202e1..207ab63cd 100644 --- a/.github/workflows/strict.yaml +++ b/.github/workflows/strict.yaml @@ -5,8 +5,10 @@ on: branches: - main - 'release-[0-9]+.[0-9]+' + permissions: contents: read + jobs: prepare: name: Prepare From 207b6c0e212612784b94b36d2003de642be1a1e5 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Wed, 15 May 2024 16:40:52 +0200 Subject: [PATCH 07/18] rm permissions --- .github/workflows/integration.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index d2bcad592..918c5ce74 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -12,9 +12,6 @@ on: - main - 'release-[0-9].[0-9]+' -permissions: - contents: read - jobs: build: name: Build From 5cbccce6f3bccb90872e69d87953a3a5a68c6e5a Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Wed, 15 May 2024 16:50:33 +0200 Subject: [PATCH 08/18] rm permission restriction strict --- .github/workflows/strict-integration.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 3fbde9e8a..d90c96355 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -10,9 +10,6 @@ on: - main - 'release-[0-9]+.[0-9]+' -permissions: - contents: read - jobs: prepare: name: Prepare From 46b58d0f402348e837612315a993b1cfa334facf Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 14:29:38 +0200 Subject: [PATCH 09/18] rm harden runner from integration tests --- .github/workflows/integration.yaml | 8 ++++---- .github/workflows/strict-integration.yaml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index a1b65ea0e..52a26eb4f 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -48,10 +48,10 @@ jobs: needs: build steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # - name: Harden Runner + # uses: step-security/harden-runner@v2 + # with: + # egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index bfbb0ca94..616c18980 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -12,10 +12,10 @@ jobs: name: Build runs-on: ubuntu-20.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + # - name: Harden Runner + # uses: step-security/harden-runner@v2 + # with: + # egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd From 3600782bfe8e2744ed9ca51217cda609dd61dec9 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 15:27:20 +0200 Subject: [PATCH 10/18] lets try with these allowed endpoints --- .github/workflows/strict-integration.yaml | 38 ++++++++++++++++++++--- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 616c18980..1b43dd5a8 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -12,10 +12,40 @@ jobs: name: Build runs-on: ubuntu-20.04 steps: - # - name: Harden Runner - # uses: step-security/harden-runner@v2 - # with: - # egress-policy: audit + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: block + allowed-endpoints: > + auth.docker.io:443 + canonical-bos01.cdn.snapcraftcontent.com:443 + canonical-lgw01.cdn.snapcraftcontent.com:443 + cdn03.quay.io:443 + cilium.io:443 + cloud-images.ubuntu.com:443 + cloud-images.ubuntu.com:80 + files.pythonhosted.org:443 + ghcr.io:443 + github.com:443 + images.linuxcontainers.org:443 + k8s.gcr.io:443 + objects.githubusercontent.com:443 + one.one.one.one:443 + one.one.one.one:80 + pkg-containers.githubusercontent.com:443 + prod-registry-k8s-io-us-east-1.s3.dualstack.us-east-1.amazonaws.com:443 + prod-registry-k8s-io-us-east-2.s3.dualstack.us-east-2.amazonaws.com:443 + prod-registry-k8s-io-us-west-1.s3.dualstack.us-west-1.amazonaws.com:443 + production.cloudflare.docker.com:443 + pypi.org:443 + quay.io:443 + raw.githubusercontent.com:443 + registry-1.docker.io:443 + registry.k8s.io:443 + storage.googleapis.com:443 + us-central1-docker.pkg.dev:443 + us-east4-docker.pkg.dev:443 + us-west2-docker.pkg.dev:443 - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd From f6d955ffb121ffd1ea4ff265787f2cc3099d85e9 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 15:29:02 +0200 Subject: [PATCH 11/18] move code --- .github/workflows/strict-integration.yaml | 65 ++++++++++++----------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 1b43dd5a8..3023d4d74 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -15,37 +15,8 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: block - allowed-endpoints: > - auth.docker.io:443 - canonical-bos01.cdn.snapcraftcontent.com:443 - canonical-lgw01.cdn.snapcraftcontent.com:443 - cdn03.quay.io:443 - cilium.io:443 - cloud-images.ubuntu.com:443 - cloud-images.ubuntu.com:80 - files.pythonhosted.org:443 - ghcr.io:443 - github.com:443 - images.linuxcontainers.org:443 - k8s.gcr.io:443 - objects.githubusercontent.com:443 - one.one.one.one:443 - one.one.one.one:80 - pkg-containers.githubusercontent.com:443 - prod-registry-k8s-io-us-east-1.s3.dualstack.us-east-1.amazonaws.com:443 - prod-registry-k8s-io-us-east-2.s3.dualstack.us-east-2.amazonaws.com:443 - prod-registry-k8s-io-us-west-1.s3.dualstack.us-west-1.amazonaws.com:443 - production.cloudflare.docker.com:443 - pypi.org:443 - quay.io:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - registry.k8s.io:443 - storage.googleapis.com:443 - us-central1-docker.pkg.dev:443 - us-east4-docker.pkg.dev:443 - us-west2-docker.pkg.dev:443 + egress-policy: audit + - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -82,7 +53,37 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@v2 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + auth.docker.io:443 + canonical-bos01.cdn.snapcraftcontent.com:443 + canonical-lgw01.cdn.snapcraftcontent.com:443 + cdn03.quay.io:443 + cilium.io:443 + cloud-images.ubuntu.com:443 + cloud-images.ubuntu.com:80 + files.pythonhosted.org:443 + ghcr.io:443 + github.com:443 + images.linuxcontainers.org:443 + k8s.gcr.io:443 + objects.githubusercontent.com:443 + one.one.one.one:443 + one.one.one.one:80 + pkg-containers.githubusercontent.com:443 + prod-registry-k8s-io-us-east-1.s3.dualstack.us-east-1.amazonaws.com:443 + prod-registry-k8s-io-us-east-2.s3.dualstack.us-east-2.amazonaws.com:443 + prod-registry-k8s-io-us-west-1.s3.dualstack.us-west-1.amazonaws.com:443 + production.cloudflare.docker.com:443 + pypi.org:443 + quay.io:443 + raw.githubusercontent.com:443 + registry-1.docker.io:443 + registry.k8s.io:443 + storage.googleapis.com:443 + us-central1-docker.pkg.dev:443 + us-east4-docker.pkg.dev:443 + us-west2-docker.pkg.dev:443 - name: Check out code uses: actions/checkout@v4 - name: Setup Python From 8da122db1929949de455f72cdd00030eb51f2091 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 15:48:00 +0200 Subject: [PATCH 12/18] rm harden runner for integration tests --- .github/workflows/integration.yaml | 4 ---- .github/workflows/nightly-test.yaml | 4 ---- .github/workflows/strict-integration.yaml | 5 ----- 3 files changed, 13 deletions(-) diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 52a26eb4f..88e167d65 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -48,10 +48,6 @@ jobs: needs: build steps: - # - name: Harden Runner - # uses: step-security/harden-runner@v2 - # with: - # egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index b21deb4cc..04184b4d9 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -20,10 +20,6 @@ jobs: runs-on: ${{ matrix.arch == 'arm64' && 'Ubuntu_ARM64_4C_16G_01' || 'ubuntu-20.04' }} steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index 3023d4d74..c0d978478 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -12,11 +12,6 @@ jobs: name: Build runs-on: ubuntu-20.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd From 9d5b21a5fc27b41af2e62bdc95bc3482e5cc312c Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 15:59:43 +0200 Subject: [PATCH 13/18] test more runs --- .github/workflows/cron-jobs.yaml | 5 +++-- .github/workflows/integration.yaml | 3 +++ .github/workflows/nightly-test.yaml | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index af23a5e1e..cb7396182 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -3,6 +3,7 @@ name: Security and quality nightly scan on: schedule: - cron: '0 10 * * *' + pull_request: #TODO: rm after testing permissions: contents: read @@ -75,8 +76,8 @@ jobs: Trivy: permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 88e167d65..87d745094 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -9,6 +9,9 @@ on: - 'autoupdate/release-[0-9]+.[0-9]+-strict' pull_request: +permissions: + contents: read + jobs: build: name: Build diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index 04184b4d9..1eb564d4c 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -3,6 +3,7 @@ name: Nightly Latest/Edge Tests on: schedule: - cron: '0 0 * * *' # Runs every midnight + pull_request: #TODO: rm after testing permissions: contents: read From 601d26aa33106d579f84a6e3c9fdced637fdf214 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 16:03:01 +0200 Subject: [PATCH 14/18] rm harden runner from strict integration --- .github/workflows/strict-integration.yaml | 34 ----------------------- 1 file changed, 34 deletions(-) diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml index c0d978478..54e349015 100644 --- a/.github/workflows/strict-integration.yaml +++ b/.github/workflows/strict-integration.yaml @@ -45,40 +45,6 @@ jobs: os: ["ubuntu:20.04"] runs-on: ubuntu-20.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: block - allowed-endpoints: > - auth.docker.io:443 - canonical-bos01.cdn.snapcraftcontent.com:443 - canonical-lgw01.cdn.snapcraftcontent.com:443 - cdn03.quay.io:443 - cilium.io:443 - cloud-images.ubuntu.com:443 - cloud-images.ubuntu.com:80 - files.pythonhosted.org:443 - ghcr.io:443 - github.com:443 - images.linuxcontainers.org:443 - k8s.gcr.io:443 - objects.githubusercontent.com:443 - one.one.one.one:443 - one.one.one.one:80 - pkg-containers.githubusercontent.com:443 - prod-registry-k8s-io-us-east-1.s3.dualstack.us-east-1.amazonaws.com:443 - prod-registry-k8s-io-us-east-2.s3.dualstack.us-east-2.amazonaws.com:443 - prod-registry-k8s-io-us-west-1.s3.dualstack.us-west-1.amazonaws.com:443 - production.cloudflare.docker.com:443 - pypi.org:443 - quay.io:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - registry.k8s.io:443 - storage.googleapis.com:443 - us-central1-docker.pkg.dev:443 - us-east4-docker.pkg.dev:443 - us-west2-docker.pkg.dev:443 - name: Check out code uses: actions/checkout@v4 - name: Setup Python From e4e88cf60f35c0a257217d0db02bb513f12df14e Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Thu, 16 May 2024 16:48:35 +0200 Subject: [PATCH 15/18] add write to ticks test --- .github/workflows/cron-jobs.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index cb7396182..8a87dcd33 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -10,6 +10,9 @@ permissions: jobs: TICS: + permissions: + contents: read + security-events: write runs-on: ubuntu-latest strategy: matrix: From 338cb897640d7669d813dc3129f4c6bab1853240 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Sat, 18 May 2024 15:07:12 +0200 Subject: [PATCH 16/18] rm run workflow on PR for testing --- .github/workflows/cron-jobs.yaml | 1 - .github/workflows/nightly-test.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index 8a87dcd33..7ad2d79d8 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -3,7 +3,6 @@ name: Security and quality nightly scan on: schedule: - cron: '0 10 * * *' - pull_request: #TODO: rm after testing permissions: contents: read diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index 1eb564d4c..04184b4d9 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -3,7 +3,6 @@ name: Nightly Latest/Edge Tests on: schedule: - cron: '0 0 * * *' # Runs every midnight - pull_request: #TODO: rm after testing permissions: contents: read From 14af82e45e88133c79fd7e509ecf766fecf254d3 Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Tue, 21 May 2024 08:11:10 +0200 Subject: [PATCH 17/18] tag pinnning and comments removed --- .github/workflows/scorecard.yaml | 36 +++++--------------------------- 1 file changed, 5 insertions(+), 31 deletions(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 53fcd83f4..dec19b178 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -4,17 +4,13 @@ name: Scorecard supply-chain security on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '43 6 * * *' push: branches: [ "main" ] + pull_request: #TODO: rm after testing -# Declare default permissions as read only. permissions: read-all jobs: @@ -22,13 +18,8 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: Harden Runner @@ -36,42 +27,25 @@ jobs: with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@v2.3.1 with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@v3 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@v3.24.9 with: sarif_file: results.sarif From ee259bdc5003876c18adb861f1fa4c9ec2f7d45a Mon Sep 17 00:00:00 2001 From: louiseschmidtgen Date: Tue, 21 May 2024 08:25:55 +0200 Subject: [PATCH 18/18] cleanup --- .github/workflows/scorecard.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index dec19b178..ffb8afe17 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -1,7 +1,3 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: branch_protection_rule: @@ -9,7 +5,6 @@ on: - cron: '43 6 * * *' push: branches: [ "main" ] - pull_request: #TODO: rm after testing permissions: read-all