[StepSecurity] Apply security best practices

.github/workflows/actions-lint.yaml

@@ -23,10 +23,15 @@ jobs:
   lint_validate_actions:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Checkout Actoinlint Configs
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: circlefin/circle-public-github-workflows
           ref: stable
@@ -48,6 +53,6 @@ jobs:
           ./actionlint -color -shellcheck="" --config-file .actionlint/config/linters/actionlint.yaml
 
       - name: json-yaml-validate
-        uses: GrantBirki/[email protected]
+        uses: GrantBirki/json-yaml-validate@3a3d883daf915618a7503a2e9c04b8e57130a4b8 # v3.0.0
         with:
           comment: true

.github/workflows/attach-release-assets.yaml

@@ -65,8 +65,13 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: Download all build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         if: inputs.artifact_file_globs != ''
         id: download-artifacts
         with:
@@ -89,7 +94,7 @@ jobs:
           echo "tag=${TAG}" >> ${GITHUB_OUTPUT}
 
       - name: Generate SBOM from Dependency Graph
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         if: inputs.generate_sbom
         env:
           RELEASE_TAG: ${{ steps.setup.outputs.tag }}
@@ -110,7 +115,7 @@ jobs:
             }
 
       - name: Find matching files in build artifacts
-        uses: tj-actions/glob@v22
+        uses: tj-actions/glob@2944188f585a0ec102a6a82d9eeb3aed69785393 # v22.0.1
         if: steps.download-artifacts.conclusion == 'success'
         id: glob
         with:
@@ -146,7 +151,7 @@ jobs:
           sha256sum * | tee ${MANIFEST_FILENAME}
 
       - name: Attach assets to release
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           RELEASE_TAG: ${{ steps.setup.outputs.tag }}
         with:

.github/workflows/conventional-commit-release.yaml

@@ -107,6 +107,11 @@ jobs:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: Calculate Fetch Depth
         if: inputs.lint_commits
         id: fetch-depth
@@ -115,15 +120,15 @@ jobs:
       - name: Checkout repo
         if: steps.fetch-depth.conclusion == 'success'
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: ${{ steps.fetch-depth.outputs.depth }}
 
       - name: Fetch base ref
         if: steps.checkout.conclusion == 'success'
         run: git fetch origin ${{ github.base_ref }}:refs/remotes/origin/${{ github.base_ref }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20.x
 
@@ -132,7 +137,7 @@ jobs:
           npm install -g @commitlint/{cli,config-conventional}@^18.6.0
 
       - name: Configure commitlint
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           ALLOWED_SCOPES: ${{ inputs.allowed_scopes }}
           ALLOWED_SUBJECT_CASES: ${{ inputs.allowed_subject_cases }}
@@ -172,7 +177,7 @@ jobs:
 
       - name: Comment on Pull Request on Error
         if: always()
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
         with:
           header: Converntional Commits Error
           delete: ${{ steps.commit-lint.conclusion != 'failure' && steps.commit-lint-pr-title.conclusion != 'failure' }}
@@ -192,10 +197,15 @@ jobs:
       major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }}
       major_tag: ${{ steps.additional_tags.outputs.major_tag }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Merge default and user input changelog types
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: merge-changelog-types
         env:
           CHANGELOG_TYPES: ${{ inputs.changelog_types }}
@@ -225,7 +235,7 @@ jobs:
 
             core.setOutput("changelog-types-json", JSON.stringify(changelogTypes));
 
-      - uses: google-github-actions/release-please-action@v3
+      - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13
         id: release
         with:
           default-branch: ${{ github.event.repository.default_branch }}
@@ -241,7 +251,7 @@ jobs:
       - name: Checkout Release Branch
         if: ${{ steps.release.outputs.pr != '' }}
         id: checkout-release-branch
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7.1.1
         with:
           ref: ${{ fromJson(steps.release.outputs.pr).headBranchName }}
           token: ${{ secrets.RELEASE_TOKEN }}
@@ -250,7 +260,7 @@ jobs:
       - name: Import GPG key
         id: key-import
         if: ${{ steps.checkout-release-branch.conclusion == 'success' }}
-        uses: crazy-max/[email protected]
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
           gpg_private_key: ${{ secrets.RELEASE_ACTOR_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.RELEASE_ACTOR_GPG_PASSPHRASE }}
@@ -269,7 +279,7 @@ jobs:
       - name: Create additional tags
         if: steps.release.outputs.release_created
         id: additional_tags
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         env:
           MAJOR: ${{ steps.release.outputs.major }}
           MINOR: ${{ steps.release.outputs.minor }}

.github/workflows/pr-scan.yaml

@@ -44,6 +44,11 @@ jobs:
   scan:
     runs-on: ${{ inputs.runs-on }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: Setup
         shell: bash
         run: |-
@@ -55,12 +60,12 @@ jobs:
           npm i js-yaml spdx-expression-parse
 
       - name: Checkout Source
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           path: ${{ env.SCAN_TEMP }}/src
 
       - name: Checkout Configs
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: circlefin/circle-public-github-workflows
           ref: stable
@@ -69,7 +74,7 @@ jobs:
             config/scan
 
       - name: Configure dependency review
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: config
         env:
           SEVERITY: ${{ inputs.fail_on_severity }}
@@ -166,7 +171,7 @@ jobs:
             core.setOutput("config-file", licenseCfgFile);
 
       - name: Pull Request Dependency license check
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
         if: >
           steps.config.outcome == 'success' &&
           steps.config.outputs.is-pr == 'true'

.github/workflows/scorecards.yml

@@ -0,0 +1,76 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["master"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        with:
+          sarif_file: results.sarif

.pre-commit-config.yaml

@@ -0,0 +1,10 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace