From 75ecef3625443ffda5b76dde1d25bd9915fc3f68 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 11 Nov 2022 15:46:57 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/cibuild.yml | 15 ++++++++++----- .github/workflows/codeql.yml | 15 ++++++++++----- .github/workflows/docs.yml | 9 +++++++-- .github/workflows/rebuild.yml | 28 +++++++++++++++++++--------- .github/workflows/stale.yml | 7 ++++++- .github/workflows/wrapper.yml | 9 +++++++-- 6 files changed, 59 insertions(+), 24 deletions(-) diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml index 9c6a2d6a96..3f47324b39 100644 --- a/.github/workflows/cibuild.yml +++ b/.github/workflows/cibuild.yml @@ -57,24 +57,29 @@ jobs: name: Build JDK${{ matrix.java }} ${{ matrix.os }} runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 with: fetch-depth: ${{ matrix.fetch-depth }} - name: Set up Java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Set up Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef - name: Build id: build run: | ${{ format(matrix.runner, './.github/scripts/ci-build.sh') }} - name: Configure settings.xml for Publish if: ${{ matrix.canonical }} - uses: actions/setup-java@v3 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -92,7 +97,7 @@ jobs: JFROG_PASSWORD: ${{ secrets.JFROG_PASSWORD }} - name: Upload Test Reports if: ${{ always() && ((steps.build.outcome == 'success') || (steps.build.outcome == 'failure')) }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb with: name: Build_JDK${{ matrix.java }}_${{ matrix.os }}-test-reports path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 06d6f9e3bc..97cebadeea 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,17 +42,22 @@ jobs: name: CodeQL JDK${{ matrix.java }} ${{ matrix.os }} runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Set up Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef - name: Initialize CodeQL Analysis - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 with: languages: 'java' - name: Build for CodeQL Analysis @@ -60,4 +65,4 @@ jobs: run: | ./.github/scripts/codeql-build.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 0f6a3ba9f1..51f1ba267e 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -30,10 +30,15 @@ jobs: BUNDLE_GEMFILE: Gemfile BUNDLE_PATH: vendor/bundle steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@8ddb7b3348b3951590db24c346e94ebafdabc926 with: ruby-version: 2.7 bundler-cache: true diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml index e5e294b279..266ff9390d 100644 --- a/.github/workflows/rebuild.yml +++ b/.github/workflows/rebuild.yml @@ -46,21 +46,26 @@ jobs: outputs: dist-bundles: Dist_Bundles_JDK${{ matrix.java }}_${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Set up Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef - name: Build id: build run: | ./.github/scripts/rebuild-build.sh - name: Upload dist/bundles - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb with: name: Dist_Bundles_JDK${{ matrix.java }}_${{ matrix.os }} if-no-files-found: error @@ -81,17 +86,22 @@ jobs: name: Rebuild JDK${{ matrix.java }} ${{ matrix.os }} runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Set up Java - uses: actions/setup-java@v3 + uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Set up Gradle - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef - name: Download dist/bundles - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 with: name: ${{ needs.build.outputs.dist-bundles }} path: dist/bundles @@ -101,7 +111,7 @@ jobs: ${{ format(matrix.runner, './.github/scripts/rebuild-test.sh') }} - name: Upload Test Reports if: ${{ always() && ((steps.build.outcome == 'success') || (steps.build.outcome == 'failure')) }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb with: name: Rebuild_JDK${{ matrix.java }}_${{ matrix.os }}-test-reports path: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4321188f56..56f75bc36a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -20,8 +20,13 @@ jobs: name: Stale runs-on: 'ubuntu-latest' steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Stale Action - uses: actions/stale@v6 + uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578 with: days-before-stale: 365 days-before-close: 21 diff --git a/.github/workflows/wrapper.yml b/.github/workflows/wrapper.yml index 880e2ab7ca..9ef2038169 100644 --- a/.github/workflows/wrapper.yml +++ b/.github/workflows/wrapper.yml @@ -29,7 +29,12 @@ jobs: name: Validate Gradle Wrapper runs-on: 'ubuntu-latest' steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Gradle Wrapper Validation - uses: gradle/wrapper-validation-action@v1 + uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6