Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[StepSecurity] ci: Harden GitHub Actions #5425

Merged
merged 1 commit into from Nov 11, 2022
Merged

[StepSecurity] ci: Harden GitHub Actions #5425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 10 additions & 5 deletions .github/workflows/cibuild.yml
View file
Open in desktop
Expand Up @@ -57,24 +57,29 @@ jobs:
name: Build JDK${{ matrix.java }} ${{ matrix.os }}
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Git Checkout
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
with:
fetch-depth: ${{ matrix.fetch-depth }}
- name: Set up Java ${{ matrix.java }}
uses: actions/setup-java@v3
uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef
- name: Build
id: build
run: |
${{ format(matrix.runner, './.github/scripts/ci-build.sh') }}
- name: Configure settings.xml for Publish
if: ${{ matrix.canonical }}
uses: actions/setup-java@v3
uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
Expand All @@ -92,7 +97,7 @@ jobs:
JFROG_PASSWORD: ${{ secrets.JFROG_PASSWORD }}
- name: Upload Test Reports
if: ${{ always() && ((steps.build.outcome == 'success') || (steps.build.outcome == 'failure')) }}
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
with:
name: Build_JDK${{ matrix.java }}_${{ matrix.os }}-test-reports
path: |
Expand Down
15 changes: 10 additions & 5 deletions .github/workflows/codeql.yml
View file
Open in desktop
Expand Up @@ -42,22 +42,27 @@ jobs:
name: CodeQL JDK${{ matrix.java }} ${{ matrix.os }}
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Java ${{ matrix.java }}
uses: actions/setup-java@v3
uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef
- name: Initialize CodeQL Analysis
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898
with:
languages: 'java'
- name: Build for CodeQL Analysis
id: build
run: |
./.github/scripts/codeql-build.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898
9 changes: 7 additions & 2 deletions .github/workflows/docs.yml
View file
Open in desktop
Expand Up @@ -30,10 +30,15 @@ jobs:
BUNDLE_GEMFILE: Gemfile
BUNDLE_PATH: vendor/bundle
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Git Checkout
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@8ddb7b3348b3951590db24c346e94ebafdabc926
with:
ruby-version: 2.7
bundler-cache: true
Expand Down
28 changes: 19 additions & 9 deletions .github/workflows/rebuild.yml
View file
Open in desktop
Expand Up @@ -46,21 +46,26 @@ jobs:
outputs:
dist-bundles: Dist_Bundles_JDK${{ matrix.java }}_${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Git Checkout
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Java ${{ matrix.java }}
uses: actions/setup-java@v3
uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef
- name: Build
id: build
run: |
./.github/scripts/rebuild-build.sh
- name: Upload dist/bundles
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
with:
name: Dist_Bundles_JDK${{ matrix.java }}_${{ matrix.os }}
if-no-files-found: error
Expand All @@ -81,17 +86,22 @@ jobs:
name: Rebuild JDK${{ matrix.java }} ${{ matrix.os }}
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Git Checkout
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Set up Java
uses: actions/setup-java@v3
uses: actions/setup-java@de1bb2b0c5634f0fc4438d7aa9944e68f9bf86cc
with:
distribution: 'temurin'
java-version: ${{ matrix.java }}
- name: Set up Gradle
uses: gradle/gradle-build-action@v2
uses: gradle/gradle-build-action@3fbe033aaae657f011f88f29be9e65ed26bd29ef
- name: Download dist/bundles
uses: actions/download-artifact@v3
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7
with:
name: ${{ needs.build.outputs.dist-bundles }}
path: dist/bundles
Expand All @@ -101,7 +111,7 @@ jobs:
${{ format(matrix.runner, './.github/scripts/rebuild-test.sh') }}
- name: Upload Test Reports
if: ${{ always() && ((steps.build.outcome == 'success') || (steps.build.outcome == 'failure')) }}
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
with:
name: Rebuild_JDK${{ matrix.java }}_${{ matrix.os }}-test-reports
path: |
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/stale.yml
View file
Open in desktop
Expand Up @@ -20,8 +20,13 @@ jobs:
name: Stale
runs-on: 'ubuntu-latest'
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Stale Action
uses: actions/stale@v6
uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578
with:
days-before-stale: 365
days-before-close: 21
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/wrapper.yml
View file
Open in desktop
Expand Up @@ -29,7 +29,12 @@ jobs:
name: Validate Gradle Wrapper
runs-on: 'ubuntu-latest'
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Git Checkout
uses: actions/checkout@v3
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
- name: Gradle Wrapper Validation
uses: gradle/wrapper-validation-action@v1
uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6