From 52c2dbb287d88b7c06eba55ddcd74d2ec2b41527 Mon Sep 17 00:00:00 2001 From: "Louise K. Schmidtgen" Date: Tue, 21 May 2024 13:18:11 +0200 Subject: [PATCH] Harden CI (#385) * gh token permissions * add security agent to runner * fmt * gh token permissions * add security agent to runner * fmt * rm permissions * rm permission restriction strict * rm harden runner from integration tests * lets try with these allowed endpoints * move code * rm harden runner for integration tests * test more runs * rm harden runner from strict integration * add write to ticks test * rm run workflow on PR for testing * tag pinnning and comments removed * cleanup --- .github/workflows/cla.yaml | 9 ++++++ .github/workflows/cron-jobs.yaml | 17 ++++++++++++ .github/workflows/go.yaml | 14 ++++++++++ .github/workflows/integration.yaml | 14 ++++++++++ .github/workflows/nightly-test.yaml | 3 ++ .github/workflows/python.yaml | 7 +++++ .github/workflows/sbom.yaml | 7 +++++ .github/workflows/scorecard.yaml | 43 ++++++----------------------- .github/workflows/strict.yaml | 5 ++++ 9 files changed, 84 insertions(+), 35 deletions(-) diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index 32e75485b..a3c4515de 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -6,9 +6,18 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: cla-check: + permissions: + pull-requests: write # for canonical/has-signed-canonical-cla to create & update comments runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check if CLA signed uses: canonical/has-signed-canonical-cla@v1 diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index dd7aeb442..7ad2d79d8 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -4,8 +4,14 @@ on: schedule: - cron: '0 10 * * *' +permissions: + contents: read + jobs: TICS: + permissions: + contents: read + security-events: write runs-on: ubuntu-latest strategy: matrix: @@ -14,6 +20,10 @@ jobs: - { branch: main } steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: @@ -67,6 +77,9 @@ jobs: path: tics-logs.tar.gz Trivy: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest strategy: matrix: @@ -77,6 +90,10 @@ jobs: # Add branches to test here steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 with: diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml index ff12570f5..0fa34b24f 100644 --- a/.github/workflows/go.yaml +++ b/.github/workflows/go.yaml @@ -10,12 +10,22 @@ on: - 'autoupdate/sync/**' pull_request: +permissions: + contents: read + jobs: test: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment name: Unit Tests & Code Quality runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 @@ -87,6 +97,10 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml index 7d693ae12..e309e5e6e 100644 --- a/.github/workflows/integration.yaml +++ b/.github/workflows/integration.yaml @@ -10,12 +10,19 @@ on: - 'autoupdate/sync/**' pull_request: +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Install lxd @@ -72,10 +79,17 @@ jobs: cd tests/integration && sg lxd -c 'tox -e integration' security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: Security scan runs-on: ubuntu-20.04 needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Fetch snap diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml index f41dc8906..04184b4d9 100644 --- a/.github/workflows/nightly-test.yaml +++ b/.github/workflows/nightly-test.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 0 * * *' # Runs every midnight +permissions: + contents: read + jobs: test-integration: name: Integration Test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.releases }} diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml index 90b049e3b..65028fbbb 100644 --- a/.github/workflows/python.yaml +++ b/.github/workflows/python.yaml @@ -10,12 +10,19 @@ on: - 'autoupdate/sync/**' pull_request: +permissions: + contents: read + jobs: lint: name: Lint runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Check out code uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml index 2adf5e91e..d3f0eab88 100644 --- a/.github/workflows/sbom.yaml +++ b/.github/workflows/sbom.yaml @@ -10,12 +10,19 @@ on: - 'autoupdate/sync/**' pull_request: +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: Checking out repo uses: actions/checkout@v4 - name: Setup Python diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index f3a8eb6d7..ffb8afe17 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -1,20 +1,11 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '43 6 * * *' push: branches: [ "main" ] -# Declare default permissions as read only. permissions: read-all jobs: @@ -22,52 +13,34 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@v2.3.1 with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@v3 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@v3.24.9 with: sarif_file: results.sarif diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml index 2afd12b30..665f7d956 100644 --- a/.github/workflows/strict.yaml +++ b/.github/workflows/strict.yaml @@ -6,6 +6,9 @@ on: - main - 'release-[0-9]+.[0-9]+' +permissions: + contents: read + jobs: prepare: name: Prepare @@ -28,6 +31,8 @@ jobs: echo "strict=" >> $GITHUB_OUTPUT fi update: + permissions: + contents: write # for Git to git push runs-on: ubuntu-20.04 needs: [ prepare ] if: ${{ needs.prepare.outputs.strict }}