Harden CI

.github/workflows/cla.yaml

@@ -6,9 +6,18 @@
       - main
       - 'release-[0-9]+.[0-9]+'
 
+permissions:
+  contents: read
+
 jobs:
   cla-check:
+    permissions:
+      pull-requests: write  # for canonical/has-signed-canonical-cla to create & update comments
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check if CLA signed
         uses: canonical/has-signed-canonical-cla@v1

.github/workflows/cron-jobs.yaml

@@ -4,8 +4,14 @@
   schedule:
     - cron: '0 10 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   TICS:
+    permissions:
+      contents: read
+      security-events: write 
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -14,6 +20,10 @@
           - { branch: main }
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
         with:
@@ -67,6 +77,9 @@
           path: tics-logs.tar.gz
 
   Trivy:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -77,6 +90,10 @@
           # Add branches to test here
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
         with:

.github/workflows/go.yaml

@@ -9,12 +9,22 @@
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read  
+
 jobs:
   test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: write  # for marocchino/sticky-pull-request-comment to create or update PR comment
     name: Unit Tests & Code Quality
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
 
@@ -86,6 +96,10 @@
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
 

.github/workflows/integration.yaml

@@ -9,12 +9,19 @@
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Install lxd
@@ -71,10 +78,17 @@
           cd tests/integration && sg lxd -c 'tox -e integration'
 
   security-scan:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     name: Security scan
     runs-on: ubuntu-20.04
     needs: build
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Fetch snap

.github/workflows/nightly-test.yaml

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 0 * * *'  # Runs every midnight
 
+permissions:
+  contents: read
+
 jobs:
   test-integration:
     name: Integration Test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.releases }}

.github/workflows/python.yaml

@@ -9,12 +9,19 @@
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
       - name: Setup Python

.github/workflows/sbom.yaml

@@ -9,12 +9,19 @@
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Setup Python

.github/workflows/scorecard.yaml

@@ -4,70 +4,48 @@
 
 name: Scorecard supply-chain security
 on:
-  # For Branch-Protection check. Only the default branch is supported. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
   branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
-  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '43 6 * * *'
   push:
     branches: [ "main" ]
+  pull_request: #TODO: rm after testing
 
-# Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
       security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/[email protected]
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/[email protected]
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@v3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      # Upload the results to GitHub's code scanning dashboard (optional).
-      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/[email protected]
         with:
           sarif_file: results.sarif

.github/workflows/strict.yaml

@@ -6,6 +6,9 @@
       - main
       - 'release-[0-9]+.[0-9]+'
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare
@@ -28,6 +31,8 @@
             echo "strict=" >> $GITHUB_OUTPUT
           fi
   update:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-20.04
     needs: [ prepare ]
     if: ${{ needs.prepare.outputs.strict }}