diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 41b9f74..983e333 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -51,15 +51,13 @@ on: registry-password: required: true -permissions: - id-token: write - packages: write - contents: read - attestations: write - security-events: write - jobs: build-and-push-image: + permissions: + packages: write + contents: read + attestations: write + security-events: write name: Docker build and push runs-on: ${{ inputs.runs-on }} steps: @@ -83,9 +81,14 @@ jobs: ${{ inputs.egress-policy-allowlist }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 + with: + cache-binary: false # v3.7.1 - name: Log in to the Container registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 7793c80..519cb7f 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -31,6 +31,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: gitleaks uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7 diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index d88178d..780ea68 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -44,6 +44,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: @@ -82,6 +83,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Go uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index fc97fea..e46b049 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -41,6 +41,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Gosec Security Scanner # kics-scan ignore-line uses: securego/gosec@master diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 485e3bf..b67b003 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -24,6 +24,8 @@ jobs: infra-security-scan: name: Scan with Kics runs-on: ${{ inputs.runs-on }} + permissions: + security-events: write defaults: run: working-directory: ${{ inputs.working-directory }} @@ -45,12 +47,13 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Kics Scan uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 with: path: . - output_path: ${{ inputs.working-directory }}/results.sarif + output_path: ${{ inputs.working-directory }}/kics_results.sarif output_formats: sarif fail_on: high,medium token: ${{ github.token }} @@ -62,7 +65,43 @@ jobs: uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0 with: - sarif_file: ${{ inputs.working-directory }}/results.sarif + sarif_file: ${{ inputs.working-directory }}/kics_results.sarif + + zizmor: + name: zizmor GitHub Actions Security Analysis + runs-on: ${{ inputs.runs-on }} + permissions: + security-events: write + steps: + - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f + # v2.10.2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a + # v5.1.0 + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > zizmor_results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 + # v2.19.0 + with: + sarif_file: zizmor_results.sarif + category: zizmor checkmake: name: Check Makefile @@ -88,6 +127,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: @@ -104,8 +144,10 @@ jobs: continue-on-error: true run: | go install github.com/mrtazz/checkmake/cmd/checkmake@latest - CHECKMAKE_OUTPUT=$(checkmake ${{ steps.find-files.outputs.FILES }} --debug) + CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug) echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT + env: + FILES: ${{ steps.find-files.outputs.FILES }} shell: bash - name: PR comment with file if: github.event_name == 'pull_request' && steps.scan-files.outputs.CHECKMAKE_OUTPUT != '' diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index d7ee00b..916fccb 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -26,6 +26,9 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false - name: Get changed files for each workflow and action id: changed-files uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index b352f74..e0223a7 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -44,6 +44,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.2.1 with: diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 217a1b7..4e5d408 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -54,6 +54,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -84,6 +85,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -118,6 +120,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -169,6 +172,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: