From 34a1cbae0341687438069c5ea2ee60235dac9f8b Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 14 Nov 2024 05:18:21 -0800 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#21) Signed-off-by: StepSecurity Bot --- .github/workflows/check.yml | 12 ++++++------ .github/workflows/postgresql-12-build.yml | 9 ++++++--- .github/workflows/postgresql-13-build.yml | 9 ++++++--- .github/workflows/postgresql-14-build.yml | 9 ++++++--- .github/workflows/postgresql-15-build.yml | 9 ++++++--- .github/workflows/postgresql-16-build.yml | 9 ++++++--- .github/workflows/postgresql-17-build.yml | 9 ++++++--- .github/workflows/scorecard.yml | 2 +- 8 files changed, 43 insertions(+), 25 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index ab0584a..0476f22 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -9,12 +9,12 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: src/percona_pg_telemetry - name: Checkout cppcheck sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: "danmar/cppcheck" ref: "2.13.4" @@ -41,13 +41,13 @@ jobs: steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' ref: 'REL_17_STABLE' - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'contrib/percona_pg_telemetry' @@ -82,9 +82,9 @@ jobs: steps: - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check license headers - uses: apache/skywalking-eyes/header@v0.6.0 + uses: apache/skywalking-eyes/header@cd7b195c51fd3d6ad52afceb760719ddc6b3ee91 # v0.6.0 with: token: "" # Prevent comments diff --git a/.github/workflows/postgresql-12-build.yml b/.github/workflows/postgresql-12-build.yml index 4d73563..e142e02 100644 --- a/.github/workflows/postgresql-12-build.yml +++ b/.github/workflows/postgresql-12-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-12-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/postgresql-13-build.yml b/.github/workflows/postgresql-13-build.yml index ef69e7a..482350b 100644 --- a/.github/workflows/postgresql-13-build.yml +++ b/.github/workflows/postgresql-13-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-13-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/postgresql-14-build.yml b/.github/workflows/postgresql-14-build.yml index 565e427..70b35cf 100644 --- a/.github/workflows/postgresql-14-build.yml +++ b/.github/workflows/postgresql-14-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-14-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/postgresql-15-build.yml b/.github/workflows/postgresql-15-build.yml index 68aff3d..37bc9c2 100644 --- a/.github/workflows/postgresql-15-build.yml +++ b/.github/workflows/postgresql-15-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-15-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/postgresql-16-build.yml b/.github/workflows/postgresql-16-build.yml index af20cec..7678f47 100644 --- a/.github/workflows/postgresql-16-build.yml +++ b/.github/workflows/postgresql-16-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-16-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/postgresql-17-build.yml b/.github/workflows/postgresql-17-build.yml index d25c07e..0e7749f 100644 --- a/.github/workflows/postgresql-17-build.yml +++ b/.github/workflows/postgresql-17-build.yml @@ -3,13 +3,16 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: pg-17-build-test runs-on: ubuntu-22.04 steps: - name: Clone postgres repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: 'postgres/postgres' path: postgres @@ -44,7 +47,7 @@ jobs: working-directory: postgres - name: Clone percona_pg_telemetry repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: 'postgres/contrib/percona_pg_telemetry' @@ -61,7 +64,7 @@ jobs: - name: Upload logs on fail if: ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: Regressions diff and postgresql log path: | diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cb2777b..2bab53a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -43,6 +43,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: results.sarif