From 5548a54cc48c09bb4c877aa4a3716b28dd2348cc Mon Sep 17 00:00:00 2001 From: manhtukhang Date: Sun, 8 Dec 2024 23:41:13 +0700 Subject: [PATCH 1/4] chrore: added pre-commit config Signed-off-by: manhtukhang --- .pre-commit-config.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a3afd53 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,23 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.21.2 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.62.2 + hooks: + - id: golangci-lint +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/rhysd/actionlint + rev: v1.7.4 + hooks: + - id: actionlint From f911b2278ac105644bd84d1c030f8f8bc5976835 Mon Sep 17 00:00:00 2001 From: manhtukhang Date: Sun, 8 Dec 2024 23:42:15 +0700 Subject: [PATCH 2/4] chrore: updated acceptance tests Signed-off-by: manhtukhang --- test/acceptance-tests.bats | 38 ++++++++++++++++++++------------------ test/docker-compose.yml | 2 +- 2 files changed, 21 insertions(+), 19 deletions(-) diff --git a/test/acceptance-tests.bats b/test/acceptance-tests.bats index 7a13361..55acaac 100644 --- a/test/acceptance-tests.bats +++ b/test/acceptance-tests.bats @@ -34,22 +34,22 @@ # Default: "vault-nexus-acceptance-tests-network" # Required -vault_plugin_dir=${VAULT_PLUGIN_DIR} +vault_plugin_dir=${VAULT_PLUGIN_DIR:-"./dist/bin"} # Optional -docker_network=${DOCKER_NETWORK:-"vault-nexus-acceptance-tests-network"} +# docker_network=${DOCKER_NETWORK:-"vault-nexus-acceptance-tests-network"} vault=${VAULT_BIN:-"vault"} # Uses $PATH -vault_docker_name=${VAULT_DOCKER_NAME:-"vault-tests"} -vault_version=${VAULT_VERSION:-"latest"} +# vault_docker_name=${VAULT_DOCKER_NAME:-"vault-tests"} +# vault_version=${VAULT_VERSION:-"latest"} vault_port=${VAULT_PORT:-"8200"} vault_server_addr=${VAULT_SERVER_ADDR:-"127.0.0.1"} export VAULT_ADDR="http://${vault_server_addr}:${vault_port}" export VAULT_TOKEN=${VAULT_TOKEN:-"root-token"} nxr_docker_name=${NXR_DOCKER_NAME:-"nxr-tests"} -nxr_version=${NXR_VERSION:-"latest"} +# nxr_version=${NXR_VERSION:-"latest"} nxr_server_addr=${NXR_SERVER_ADDR:-"127.0.0.1"} nxr_port=${NXR_PORT:-"8400"} nxr_admin_password="admin123" @@ -67,21 +67,23 @@ fi ## wait_for_nxr(){ log "[NXR] Waiting for Nexus Repository instance start..." - until [[ $(curl -sfI -X GET http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/writable | grep 'HTTP/1.1 200 OK' 2>/dev/null) ]]; do - printf "." - sleep 2 + until (curl -sfI -X GET "http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/writable" | grep -q 'HTTP/1.1 200 OK'); do + printf "." + sleep 2 done - + log "[NXR] Verifying API status" - curl -sfI -X GET --user "admin:${nxr_admin_password}" http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check && \ - log "[NXR] Ready!"|| \ - log "[NXR] Could not verify that Nexus Repository API worked, please see the error above and check again!" + if (curl -sfI -X GET --user "admin:${nxr_admin_password}" "http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check"); then + log "[NXR] Ready!" + else + log "[NXR] Could not verify that Nexus Repository API worked, please see the error above and check again!" + fi } ## wait_for_vault(){ log "[VAULT] Waiting for vault to become available..." - until [[ $( ${vault} status -address="${VAULT_ADDR}" ) ]]; do + until ( ${vault} status -address="${VAULT_ADDR}" ); do printf "." sleep 2 done @@ -125,7 +127,7 @@ teardown() { for role in ${roles}; do vault delete "nexus/roles/${role}" > /dev/null done - + # vault delete nexus/config/admin } @@ -344,7 +346,7 @@ teardown() { run vault write -format=json sys/leases/lookup lease_id="${lease_id}" [ ${status} -eq 0 ] _ttl=$(echo "${output}" | jq .data.ttl) - if [ ${_ttl} -le ${wait_until_dur} ]; then + if [ "${_ttl}" -le "${wait_until_dur}" ]; then break fi sleep 1 @@ -362,7 +364,7 @@ teardown() { log "Sleeping until after original TTL (${sleep_time}s)..." sleep $((sleep_time)) - run curl -sfI -X GET --user "${user_id}:${password}" "http://127.0.0.1:${nxr_port}/service/rest/v1/status/check" + run curl -sfI -X GET --user "${user_id}:${password}" "http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check" [ ${status} -eq 0 ] [[ "${output}" == *"200 OK"* ]] @@ -375,7 +377,7 @@ teardown() { sleep 1 done - run curl -sfI -X GET --user "${user_id}:${password}" "http://127.0.0.1:${nxr_port}/service/rest/v1/status/check" + run curl -sfI -X GET --user "${user_id}:${password}" "http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check" [ ${status} -ne 0 ] [[ "${output}" == *"401 Unauthorized"* ]] } @@ -385,6 +387,6 @@ teardown() { run vault write -f nexus/config/rotate [ ${status} -eq 0 ] - run curl -sfI -X GET --user "admin:${nxr_admin_password}" http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check + run curl -sfI -X GET --user "admin:${nxr_admin_password}" "http://${nxr_server_addr}:${nxr_port}/service/rest/v1/status/check" [ ${status} -ne 0 ] } diff --git a/test/docker-compose.yml b/test/docker-compose.yml index 3634711..bbaf867 100644 --- a/test/docker-compose.yml +++ b/test/docker-compose.yml @@ -27,7 +27,7 @@ services: command: - vault - server - - -dev + - -dev - -dev-plugin-dir=/vault/plugins - -log-level=trace healthcheck: From 50086c37b4cd2de62b6938b13ff0f824d0b79e94 Mon Sep 17 00:00:00 2001 From: manhtukhang Date: Sun, 8 Dec 2024 23:43:07 +0700 Subject: [PATCH 3/4] chrore: fixed in small format changes Signed-off-by: manhtukhang --- .github/pull_request_template.md | 8 ++++---- .github/release.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index dd1c430..a912b6b 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,12 +1,12 @@ ## Issue: - + ## Problem - + ## Solution - + ## Testing @@ -19,6 +19,6 @@ ## QA Testing Considerations - + ### Regressions Considerations diff --git a/.github/release.yaml b/.github/release.yaml index 15f4037..38329a0 100644 --- a/.github/release.yaml +++ b/.github/release.yaml @@ -16,6 +16,6 @@ changelog: - title: 👒 Dependencies labels: - dependencies - - title: 📚 Other Changes + - title: 📚 Other Changes labels: - "*" From 87a3e3d0015d1796f1235ee9819e8bc7ff9b7375 Mon Sep 17 00:00:00 2001 From: manhtukhang Date: Sun, 8 Dec 2024 23:44:37 +0700 Subject: [PATCH 4/4] chrore(ci): enhanced GH workflows security Signed-off-by: manhtukhang --- .github/workflows/_test-acceptance.tmpl.yaml | 9 +++++- .github/workflows/dependency-review.yaml | 6 ++++ .github/workflows/greet.yaml | 11 +++++++ .github/workflows/labeler.yaml | 10 +++++-- .github/workflows/lint.yaml | 22 ++++++++++++++ .github/workflows/release.yaml | 31 +++++++++++++++----- .github/workflows/scan.yaml | 10 +++++++ .github/workflows/scorecard.yaml | 5 ++++ .github/workflows/test-acceptance.yaml | 13 +++++++- .github/workflows/test.yaml | 9 +++++- 10 files changed, 114 insertions(+), 12 deletions(-) diff --git a/.github/workflows/_test-acceptance.tmpl.yaml b/.github/workflows/_test-acceptance.tmpl.yaml index 2cacd95..f2989d4 100644 --- a/.github/workflows/_test-acceptance.tmpl.yaml +++ b/.github/workflows/_test-acceptance.tmpl.yaml @@ -20,13 +20,20 @@ on: type: string default: "latest" +permissions: + contents: read + jobs: test: name: 'Test plugin on Vault v${{ inputs.vault-version }} + Nexus Repository v${{ inputs.nxr-version }}' runs-on: ubuntu-latest permissions: - contents: write + contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index f01d356..da6a3af 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -8,7 +8,13 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/greet.yaml b/.github/workflows/greet.yaml index 34a8aaa..f3c5d46 100644 --- a/.github/workflows/greet.yaml +++ b/.github/workflows/greet.yaml @@ -7,10 +7,21 @@ on: issues: +permissions: + contents: read + jobs: greeting: + permissions: + issues: write # for actions/first-interaction to comment on first issue + pull-requests: write # for actions/first-interaction to comment on first PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Greetings for PR and issues uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0 with: diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index f186528..968d6a9 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -1,15 +1,21 @@ name: Labeler on: [ pull_request_target ] +permissions: + contents: read + jobs: label: - runs-on: ubuntu-latest permissions: contents: read pull-requests: write - steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 94ad0b5..143f4c1 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,10 +1,20 @@ name: Lint + on: push: + branches: "*" pull_request: + + +permissions: + contents: read + jobs: pre_job: # continue-on-error: true + permissions: + actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs + contents: read # for fkirc/skip-duplicate-actions to read and compare commits runs-on: ubuntu-latest outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} @@ -17,13 +27,25 @@ jobs: cancel_others: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' paths: '["go.mod", "go.sum", "src/**/*"]' + golangci: name: GolangCI Lint needs: pre_job + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests runs-on: ubuntu-latest if: needs.pre_job.outputs.should_skip != 'true' steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + - name: golangci-lint uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8b1813a..100930f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -48,9 +48,10 @@ jobs: run: | set -euo pipefail - checksum_file="$(echo $ARTIFACTS | jq -r '.[] | select (.type=="Checksum") | .path')" - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - echo "project-name=$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" >> "$GITHUB_OUTPUT" + hashes="$(echo "${ARTIFACTS}" | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)" + + echo "hashes=${hashes}" >> "${GITHUB_OUTPUT}" + echo "project-name=$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" >> "${GITHUB_OUTPUT}" attestation: needs: [ goreleaser ] @@ -61,6 +62,11 @@ jobs: contents: write # To download assets from draft release. runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -107,6 +113,11 @@ jobs: permissions: contents: write # To download assets from draft release. steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -128,14 +139,15 @@ jobs: - name: Verify assets env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} + HASHES: ${{ needs.goreleaser.outputs.hashes }} PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" VERSION: ${{ github.ref_name }} run: | set -euo pipefail - checksums="$(echo ${CHECKSUMS} | base64 -d)" + + checksums="$(base64 -d <<< "${HASHES}")" while read -r line; do - fn="$(echo ${line} | cut -d ' ' -f2)" + fn="$(echo "${line}" | cut -d ' ' -f2)" echo "Verifying ${fn} with GH CLI" gh attestation verify "${fn}" --repo "${GITHUB_REPOSITORY}" @@ -145,7 +157,7 @@ jobs: --source-uri "github.com/${GITHUB_REPOSITORY}" \ --source-tag "${VERSION}" \ "${fn}" - done <<<"$checksums" + done <<<"${checksums}" acceptance-test: needs: [ goreleaser, attestation, provenance ] @@ -167,6 +179,11 @@ jobs: contents: write # To edit release. runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index 646a166..b218bc7 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -6,6 +6,9 @@ on: schedule: - cron: '0 0 * * *' # daily +permissions: + contents: read + jobs: security: if: github.repository == 'manhtukhang/vault-plugin-secrets-nexus-repository' @@ -14,10 +17,16 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Run Snyk to check for code vulnerabilities uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master env: @@ -25,6 +34,7 @@ jobs: continue-on-error: true # To make sure that SARIF upload gets called with: args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index fb891f6..f1c1045 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -22,6 +22,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/test-acceptance.yaml b/.github/workflows/test-acceptance.yaml index 2ca3d0a..70c93f2 100644 --- a/.github/workflows/test-acceptance.yaml +++ b/.github/workflows/test-acceptance.yaml @@ -6,9 +6,15 @@ on: pull_request: +permissions: + contents: read + jobs: pre_job: # continue-on-error: true + permissions: + actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs + contents: read # for fkirc/skip-duplicate-actions to read and compare commits runs-on: ubuntu-latest outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} @@ -21,13 +27,18 @@ jobs: cancel_others: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' paths: '["go.mod", "go.sum", "Makefile", "src/**/*", "test/**/*"]' + build: name: Build plugin executable binary needs: pre_job runs-on: ubuntu-latest if: needs.pre_job.outputs.should_skip != 'true' steps: - + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index e14a2a5..5107d8e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,13 +20,20 @@ jobs: cancel_others: 'true' do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]' paths: '["go.mod", "go.sum", "Makefile", "src/**/*"]' + test: name: Test needs: pre_job runs-on: ubuntu-latest steps: - + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 - name: Setup Go uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0