From df2050a2d47b5a69845ddf1de925dfb11fb527e9 Mon Sep 17 00:00:00 2001 From: Myrotvorets Date: Tue, 3 Sep 2024 03:46:56 +0300 Subject: [PATCH] Harden workflows --- .github/workflows/audit-signatures.yml | 47 +++++++++++++++++++ .github/workflows/build.yml | 42 ++++++++--------- .github/workflows/codeql-analysis.yml | 12 +++++ .github/workflows/lint.yml | 64 ++++++++++++++++++++++++++ .github/workflows/npm-publish.yml | 20 ++++++++ .github/workflows/package-audit.yml | 41 +---------------- .github/workflows/push-tag.yml | 29 ++++++++++++ .github/workflows/sonarscan.yml | 23 +++++++-- 8 files changed, 213 insertions(+), 65 deletions(-) create mode 100644 .github/workflows/audit-signatures.yml create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/audit-signatures.yml b/.github/workflows/audit-signatures.yml new file mode 100644 index 00000000..606f322f --- /dev/null +++ b/.github/workflows/audit-signatures.yml @@ -0,0 +1,47 @@ +name: Audit Signatures + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +jobs: + audit: + name: Verify Signatures and Provenance Statements + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + tuf-repo-cdn.sigstore.dev:443 + + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Setup Node.js environment + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + with: + node-version: lts/* + + - name: Install latest npm + run: npm install -g npm@latest + + - name: Install dependencies + run: npm ci + + - name: Run audit + run: npm audit signatures diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0e95a6d3..961f8d8e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,17 +4,23 @@ name: Build and Test on: push: branches: - - "**" + - master + pull_request: workflow_dispatch: permissions: contents: read +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + jobs: build: name: Build and test (Node ${{ matrix.node.name }}) runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} strategy: matrix: node: @@ -22,27 +28,19 @@ jobs: - { name: LTS, version: lts/* } - { name: Previous LTS, version: lts/-1 } steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master with: node-version: ${{ matrix.node.version }} - - lint: - name: Check Code Style - runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} - steps: - - name: Run code style check - uses: myrotvorets/composite-actions/node-run-script@master - with: - script: lint - - typecheck: - name: Check Types - runs-on: ubuntu-latest - if: ${{ !contains(github.event.head_commit.message, '[ci skip]') || github.event_name == 'workflow_dispatch' }} - steps: - - name: Run type check - uses: myrotvorets/composite-actions/node-run-script@master - with: - script: typecheck diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 77be6d61..e2458f4b 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,6 +9,7 @@ on: - master schedule: - cron: '24 2 * * 6' + workflow_dispatch: permissions: contents: read @@ -27,6 +28,17 @@ jobs: contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..067cc674 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,64 @@ +name: Linting + +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +permissions: + contents: read + +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + +jobs: + lint: + name: ESLint Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run code style check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: lint + + typecheck: + name: TypeScript Check + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + + - name: Run type check + uses: myrotvorets/composite-actions/node-run-script@master + with: + script: typecheck diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 2ae21d48..7c13abde 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -22,8 +22,22 @@ jobs: prepare: name: Prepare source code runs-on: ubuntu-latest + permissions: + contents: read if: github.event_name == 'release' || github.event.inputs.npm == 'yes' || github.event.inputs.gpr == 'yes' steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Prepare source uses: myrotvorets/composite-actions/node-prepublish@master @@ -49,6 +63,12 @@ jobs: secret: GITHUB_TOKEN registry_url: https://npm.pkg.github.com/ steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: audit + - name: Publish package uses: myrotvorets/composite-actions/node-publish@master with: diff --git a/.github/workflows/package-audit.yml b/.github/workflows/package-audit.yml index 77225820..50ce0124 100644 --- a/.github/workflows/package-audit.yml +++ b/.github/workflows/package-audit.yml @@ -25,46 +25,9 @@ jobs: allowed-endpoints: api.github.com:443 github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 registry.npmjs.org:443 - name: Audit with NPM uses: myrotvorets/composite-actions/node-package-audit@master - - provenance: - name: Verify signatures and provenance statements - runs-on: ubuntu-latest - permissions: - contents: read - packages: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-sudo: true - allowed-endpoints: - api.github.com:443 - github.com:443 - registry.npmjs.org:443 - tuf-repo-cdn.sigstore.dev:443 - - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Setup Node.js environment - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 - with: - node-version: lts/* - cache: npm - - - name: Install dependencies - run: npm ci --ignore-scripts - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Update npm - run: npm i -g npm - - - name: Run audit - run: npm audit signatures - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml index b9c98ece..8fb69270 100644 --- a/.github/workflows/push-tag.yml +++ b/.github/workflows/push-tag.yml @@ -8,11 +8,31 @@ on: permissions: contents: read +env: + NPM_CONFIG_FUND: '0' + NPM_CONFIG_AUDIT: '0' + SUPPRESS_SUPPORT: '1' + NO_UPDATE_NOTIFIER: 'true' + jobs: build: name: Build and test runs-on: ubuntu-latest + permissions: + contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 + - name: Build and test uses: myrotvorets/composite-actions/build-test-nodejs@master @@ -23,6 +43,15 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/sonarscan.yml b/.github/workflows/sonarscan.yml index 2d675887..bbb40ef4 100644 --- a/.github/workflows/sonarscan.yml +++ b/.github/workflows/sonarscan.yml @@ -17,13 +17,28 @@ jobs: name: SonarCloud Scan runs-on: ubuntu-latest if: | - github.event_name == 'workflow_dispatch' || - github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]' || - github.event_name == 'push' && !contains(github.event.head_commit.message, '[ci skip]') + github.event_name != 'pull_request' || + github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + npm.pkg.github.com:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + api.sonarcloud.io:443 + analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 + - name: Run SonarCloud analysis uses: myrotvorets/composite-actions/node-sonarscan@master with: sonar-token: ${{ secrets.SONAR_TOKEN }} test-script: 'test:sonarqube' -