diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 7c8f7ed..be0d3b5 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -23,10 +23,15 @@ jobs: lint_validate_actions: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Checkout Actoinlint Configs - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: circlefin/circle-public-github-workflows ref: stable @@ -48,6 +53,6 @@ jobs: ./actionlint -color -shellcheck="" --config-file .actionlint/config/linters/actionlint.yaml - name: json-yaml-validate - uses: GrantBirki/json-yaml-validate@v3.0.0 + uses: GrantBirki/json-yaml-validate@3a3d883daf915618a7503a2e9c04b8e57130a4b8 # v3.0.0 with: comment: true diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index 8a2c498..6f9ac20 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -65,8 +65,13 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - name: Download all build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 if: inputs.artifact_file_globs != '' id: download-artifacts with: @@ -89,7 +94,7 @@ jobs: echo "tag=${TAG}" >> ${GITHUB_OUTPUT} - name: Generate SBOM from Dependency Graph - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: inputs.generate_sbom env: RELEASE_TAG: ${{ steps.setup.outputs.tag }} @@ -110,7 +115,7 @@ jobs: } - name: Find matching files in build artifacts - uses: tj-actions/glob@v22 + uses: tj-actions/glob@2944188f585a0ec102a6a82d9eeb3aed69785393 # v22.0.1 if: steps.download-artifacts.conclusion == 'success' id: glob with: @@ -146,7 +151,7 @@ jobs: sha256sum * | tee ${MANIFEST_FILENAME} - name: Attach assets to release - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: RELEASE_TAG: ${{ steps.setup.outputs.tag }} with: diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 7ba7376..b291f1c 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -107,6 +107,11 @@ jobs: if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - name: Calculate Fetch Depth if: inputs.lint_commits id: fetch-depth @@ -115,7 +120,7 @@ jobs: - name: Checkout repo if: steps.fetch-depth.conclusion == 'success' id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: ${{ steps.fetch-depth.outputs.depth }} @@ -123,7 +128,7 @@ jobs: if: steps.checkout.conclusion == 'success' run: git fetch origin ${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: 20.x @@ -132,7 +137,7 @@ jobs: npm install -g @commitlint/{cli,config-conventional}@^18.6.0 - name: Configure commitlint - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: ALLOWED_SCOPES: ${{ inputs.allowed_scopes }} ALLOWED_SUBJECT_CASES: ${{ inputs.allowed_subject_cases }} @@ -172,7 +177,7 @@ jobs: - name: Comment on Pull Request on Error if: always() - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0 with: header: Converntional Commits Error delete: ${{ steps.commit-lint.conclusion != 'failure' && steps.commit-lint-pr-title.conclusion != 'failure' }} @@ -192,10 +197,15 @@ jobs: major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Merge default and user input changelog types - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: merge-changelog-types env: CHANGELOG_TYPES: ${{ inputs.changelog_types }} @@ -225,7 +235,7 @@ jobs: core.setOutput("changelog-types-json", JSON.stringify(changelogTypes)); - - uses: google-github-actions/release-please-action@v3 + - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 id: release with: default-branch: ${{ github.event.repository.default_branch }} @@ -241,7 +251,7 @@ jobs: - name: Checkout Release Branch if: ${{ steps.release.outputs.pr != '' }} id: checkout-release-branch - uses: actions/checkout@v4.1.1 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7.1.1 with: ref: ${{ fromJson(steps.release.outputs.pr).headBranchName }} token: ${{ secrets.RELEASE_TOKEN }} @@ -250,7 +260,7 @@ jobs: - name: Import GPG key id: key-import if: ${{ steps.checkout-release-branch.conclusion == 'success' }} - uses: crazy-max/ghaction-import-gpg@v6.1.0 + uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 with: gpg_private_key: ${{ secrets.RELEASE_ACTOR_GPG_PRIVATE_KEY }} passphrase: ${{ secrets.RELEASE_ACTOR_GPG_PASSPHRASE }} @@ -269,7 +279,7 @@ jobs: - name: Create additional tags if: steps.release.outputs.release_created id: additional_tags - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: MAJOR: ${{ steps.release.outputs.major }} MINOR: ${{ steps.release.outputs.minor }} diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index 2583ec7..462fca7 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -44,6 +44,11 @@ jobs: scan: runs-on: ${{ inputs.runs-on }} steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - name: Setup shell: bash run: |- @@ -55,12 +60,12 @@ jobs: npm i js-yaml spdx-expression-parse - name: Checkout Source - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: path: ${{ env.SCAN_TEMP }}/src - name: Checkout Configs - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: circlefin/circle-public-github-workflows ref: stable @@ -69,7 +74,7 @@ jobs: config/scan - name: Configure dependency review - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 id: config env: SEVERITY: ${{ inputs.fail_on_severity }} @@ -166,7 +171,7 @@ jobs: core.setOutput("config-file", licenseCfgFile); - name: Pull Request Dependency license check - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 if: > steps.config.outcome == 'success' && steps.config.outputs.is-pr == 'true' diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..0da569e --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0 + with: + sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..cba0860 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,10 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace