chrore(ci): enhanced GH workflows security

Signed-off-by: manhtukhang <[email protected]>
manhtukhang · Dec 9, 2024 · 87a3e3d · 87a3e3d
1 parent 50086c3
commit 87a3e3d
Show file tree

Hide file tree

Showing 10 changed files with 114 additions and 12 deletions.
diff --git a/.github/workflows/_test-acceptance.tmpl.yaml b/.github/workflows/_test-acceptance.tmpl.yaml
@@ -20,13 +20,20 @@ on:
         type: string
         default: "latest"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: 'Test plugin on Vault v${{ inputs.vault-version }} + Nexus Repository v${{ inputs.nxr-version }}'
     runs-on: ubuntu-latest
     permissions:
-       contents: write
+      contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -8,7 +8,13 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/greet.yaml b/.github/workflows/greet.yaml
@@ -7,10 +7,21 @@ on:
   issues:
 
 
+permissions:
+  contents: read
+
 jobs:
   greeting:
+    permissions:
+      issues: write # for actions/first-interaction to comment on first issue
+      pull-requests: write # for actions/first-interaction to comment on first PR
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Greetings for PR and issues
         uses: actions/first-interaction@34f15e814fe48ac9312ccf29db4e74fa767cbab7 # v1.3.0
         with:

diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml
@@ -1,15 +1,21 @@
 name: Labeler
 on: [ pull_request_target ]
 
+permissions:
+  contents: read
+
 jobs:
   label:
-
     runs-on: ubuntu-latest
     permissions:
       contents: read
       pull-requests: write
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -1,10 +1,20 @@
 name: Lint
+
 on:
   push:
+    branches: "*"
   pull_request:
+
+
+permissions:
+  contents: read
+
 jobs:
   pre_job:
     # continue-on-error: true
+    permissions:
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+      contents: read # for fkirc/skip-duplicate-actions to read and compare commits
     runs-on: ubuntu-latest
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
@@ -17,13 +27,25 @@ jobs:
           cancel_others: 'true'
           do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
           paths: '["go.mod", "go.sum", "src/**/*"]'
+
   golangci:
     name: GolangCI Lint
     needs: pre_job
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
     runs-on: ubuntu-latest
     if: needs.pre_job.outputs.should_skip != 'true'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -48,9 +48,10 @@ jobs:
         run: |
           set -euo pipefail
 
-          checksum_file="$(echo $ARTIFACTS | jq -r '.[] | select (.type=="Checksum") | .path')"
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-          echo "project-name=$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" >> "$GITHUB_OUTPUT"
+          hashes="$(echo "${ARTIFACTS}" | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)"
+
+          echo "hashes=${hashes}" >> "${GITHUB_OUTPUT}"
+          echo "project-name=$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)" >> "${GITHUB_OUTPUT}"
 
   attestation:
     needs: [ goreleaser ]
@@ -61,6 +62,11 @@ jobs:
       contents: write # To download assets from draft release.
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
@@ -107,6 +113,11 @@ jobs:
     permissions:
       contents: write # To download assets from draft release.
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
@@ -128,14 +139,15 @@ jobs:
       - name: Verify assets
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
+          HASHES: ${{ needs.goreleaser.outputs.hashes }}
           PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
           VERSION: ${{ github.ref_name }}
         run: |
           set -euo pipefail
-          checksums="$(echo ${CHECKSUMS} | base64 -d)"
+
+          checksums="$(base64 -d <<< "${HASHES}")"
           while read -r line; do
-              fn="$(echo ${line} | cut -d ' ' -f2)"
+              fn="$(echo "${line}" | cut -d ' ' -f2)"
 
               echo "Verifying ${fn} with GH CLI"
               gh attestation verify "${fn}" --repo "${GITHUB_REPOSITORY}"
@@ -145,7 +157,7 @@ jobs:
                                             --source-uri "github.com/${GITHUB_REPOSITORY}" \
                                             --source-tag "${VERSION}" \
                                             "${fn}"
-          done <<<"$checksums"
+          done <<<"${checksums}"
 
   acceptance-test:
     needs: [ goreleaser, attestation, provenance ]
@@ -167,6 +179,11 @@ jobs:
       contents: write # To edit release.
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0

diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 0 * * *' # daily
 
+permissions:
+  contents: read
+
 jobs:
   security:
     if: github.repository == 'manhtukhang/vault-plugin-secrets-nexus-repository'
@@ -14,17 +17,24 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+
       - name: Run Snyk to check for code vulnerabilities
         uses: snyk/actions/golang@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         continue-on-error: true # To make sure that SARIF upload gets called
         with:
           args: --sarif-file-output=snyk.sarif
+
       - name: Upload result to GitHub Code Scanning
         uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -22,6 +22,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/.github/workflows/test-acceptance.yaml b/.github/workflows/test-acceptance.yaml
@@ -6,9 +6,15 @@ on:
   pull_request:
 
 
+permissions:
+  contents: read
+
 jobs:
   pre_job:
     # continue-on-error: true
+    permissions:
+      actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
+      contents: read # for fkirc/skip-duplicate-actions to read and compare commits
     runs-on: ubuntu-latest
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
@@ -21,13 +27,18 @@ jobs:
           cancel_others: 'true'
           do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
           paths: '["go.mod", "go.sum", "Makefile", "src/**/*", "test/**/*"]'
+
   build:
     name: Build plugin executable binary
     needs: pre_job
     runs-on: ubuntu-latest
     if: needs.pre_job.outputs.should_skip != 'true'
     steps:
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -20,13 +20,20 @@ jobs:
           cancel_others: 'true'
           do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
           paths: '["go.mod", "go.sum", "Makefile", "src/**/*"]'
+
   test:
     name: Test
     needs: pre_job
     runs-on: ubuntu-latest
     steps:
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
 
       - name: Setup Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0