ci: Updaiting workflow permissions and adding hardend runner per step…

…-security. (#3124) * ci: Updaiting workflow permissions and adding hardend runner per step-security. Signed-off-by: Vasil Boyadzhiev <[email protected]> * Update .github/workflows/pr-label-milestone-check.yml Co-authored-by: Roger Barker <[email protected]> Signed-off-by: Vasil Boyadzhiev <[email protected]> Signed-off-by: Vasil Boyadzhiev <[email protected]> * ci: Updating authenticate step in release-acceptance Signed-off-by: Vasil Boyadzhiev <[email protected]> --------- Signed-off-by: Vasil Boyadzhiev <[email protected]> Signed-off-by: Vasil Boyadzhiev <[email protected]> Co-authored-by: Roger Barker <[email protected]>
hashgraph · Oct 29, 2024 · 592b92f · 592b92f
1 parent 834cb32
commit 592b92f
Show file tree

Hide file tree

Showing 13 changed files with 57 additions and 16 deletions.
diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml
@@ -43,7 +43,7 @@ jobs:
     runs-on: smart-contracts-linux-large
     timeout-minutes: 50
     permissions:
-      contents: write
+      contents: read
       actions: read
       checks: write
       # issues: read

diff --git a/.github/workflows/charts.yml b/.github/workflows/charts.yml
@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/conformity-workflow.yml b/.github/workflows/conformity-workflow.yml
@@ -7,6 +7,9 @@ on:
     branches: [main, release/**]
     tags: [v*]
 
+permissions:
+  contents: read
+
 jobs:
   clone-and-build-execution-apis:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/dapp.yml b/.github/workflows/dapp.yml
@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   setup-local-hedera:
     name: Dapp Tests

diff --git a/.github/workflows/dev-tool-workflow.yml b/.github/workflows/dev-tool-workflow.yml
@@ -10,6 +10,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   dev-tool-workflow:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/flow-pr-title-check.yml b/.github/workflows/flow-pr-title-check.yml
@@ -28,6 +28,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -7,6 +7,9 @@ on:
 env:
   OWNER: hashgraph
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/postman.yml b/.github/workflows/postman.yml
@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   setup-local-hedera:
     name: Postman Endpoint Tests

diff --git a/.github/workflows/pr-label-milestone-check.yml b/.github/workflows/pr-label-milestone-check.yml
@@ -6,9 +6,14 @@ on:
 
 jobs:
   check_pr:
-    runs-on: ubuntu-latest
+    runs-on: smart-contracts-linux-medium
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2.7.0
 

diff --git a/.github/workflows/release-acceptance.yml b/.github/workflows/release-acceptance.yml
@@ -13,6 +13,9 @@ on:
         required: true
         default: 'v0.40.0'    
 
+permissions:
+  contents: read
+
 jobs:
   release-acceptance-test:
     runs-on: smart-contracts-linux-medium
@@ -26,21 +29,24 @@ jobs:
           egress-policy: audit
 
       - name: Authenticate
+        env:
+          HEDERA_PORTAL_USER: ${{ secrets.HEDERA_PORTAL_USER }}
+          HEDERA_PORTAL_PASSWORD: ${{ secrets.HEDERA_PORTAL_PASSWORD }}
         run: |
-            RESPONSE=$(jq --null-input -r --arg USER "${{ secrets.HEDERA_PORTAL_USER }}" --arg PASS "${{ secrets.HEDERA_PORTAL_PASSWORD }}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session)
-            echo "::add-mask::$RESPONSE"
-            echo "The response was: $RESPONSE"
-            ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)"
-            echo "::add-mask::$ACCOUNTS_JSON"
-            TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum')
-            echo "The testnet account is: $TESTNET_ACCOUNT"
-            PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey')
-            echo "The publicKey is: $PUBLIC_KEY"
-            PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey')
-            echo "::add-mask::$PRIVATE_KEY"
-            echo "The privateKey is: $PRIVATE_KEY"
-            echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV
-            echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV
+          RESPONSE=$(jq --null-input -r --arg USER "${HEDERA_PORTAL_USER}" --arg PASS "${HEDERA_PORTAL_PASSWORD}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session)
+          echo "::add-mask::$RESPONSE"
+          echo "The response was: $RESPONSE"
+          ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)"
+          echo "::add-mask::$ACCOUNTS_JSON"
+          TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum')
+          echo "The testnet account is: $TESTNET_ACCOUNT"
+          PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey')
+          echo "The publicKey is: $PUBLIC_KEY"
+          PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey')
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "The privateKey is: $PRIVATE_KEY"
+          echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV
+          echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV
 
       - name: Setup node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2

diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml
@@ -9,6 +9,9 @@ env:
   OWNER: hashgraph
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/release-production.yml b/.github/workflows/release-production.yml
@@ -9,6 +9,9 @@ env:
   PACKAGE_NAME: hedera-json-rpc-relay
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   docker-image-publish:
     runs-on: smart-contracts-linux-medium

diff --git a/.github/workflows/subgraph.yml b/.github/workflows/subgraph.yml
@@ -10,6 +10,9 @@ on:
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
   subgraph-workflow: