Harden GitHub Actions workflows and actions (#945)

grafana · Jan 14, 2025 · cf72765 · cf72765
1 parent 274083c
commit cf72765
Show file tree

Hide file tree

Showing 16 changed files with 129 additions and 118 deletions.
diff --git a/.github/workflows/add-to-docs-project.yml b/.github/workflows/add-to-docs-project.yml
@@ -13,22 +13,24 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@97c6f45f01d4bca8a3b1acfe397113ce88858a81 # get-vault-secrets-v1.0.1
         with:
           common_secrets: |
             ISSUE_COMMANDS_APP_ID=docs-team/issue-commands:app-id
             ISSUE_COMMANDS_PRIVATE_KEY=docs-team/issue-commands:key
 
-      - uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
         with:
           app-id: ${{ env.ISSUE_COMMANDS_APP_ID }}
           owner: grafana
           private-key: ${{ env.ISSUE_COMMANDS_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: npm
           node-version-file: "add-to-docs-project/package.json"
@@ -45,7 +47,7 @@ jobs:
       - name: Send Slack Message
         id: slack
         if: ${{ steps.add-to-docs-project.outputs.added != ''}}
-        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
+        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 # v1.0.0
         with:
           channel-id: C05V6A36MB7
           payload: |
@@ -64,7 +66,7 @@ jobs:
 
       - name: Notify failure
         if: failure()
-        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 #v1.0.0
+        uses: grafana/shared-workflows/actions/send-slack-message@7b628e7352c2dea057c565cc4fcd5564d5f396c0 # v1.0.0
         with:
           channel-id: C05V6A36MB7
           payload: |

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
diff --git a/.github/workflows/deploy-pr-preview.yml b/.github/workflows/deploy-pr-preview.yml
@@ -11,8 +11,8 @@ on:
 
 jobs:
   deploy-pr-preview:
-    if: ! github.event.pull_request.head.repo.fork
     uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main
+    if: ${{ ! github.event.pull_request.head.repo.fork }}
     with:
       sha: ${{ github.event.pull_request.head.sha }}
       branch: ${{ github.head_ref }}

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -34,18 +34,17 @@ on:
 env:
   CLOUD_RUN_REGION: us-south1
 
-permissions:
-  id-token: write # Needed for authentication.
-  statuses: write # Needed to send deploy preview link as a commit status.
-  pull-requests: write # Needed to add/update a comment with the deploy preview link.
-
 concurrency:
   group: ${{ github.workflow }}-${{ inputs.repo }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
   deploy-preview:
-    permissions: write-all
+    permissions:
+      contents: read
+      id-token: write # Fetch Vault secrets.
+      pull-requests: write # Create or update PR comments.
+      statuses: write # Update GitHub status check with deploy preview link.
     runs-on: ubuntu-latest
     steps:
       - name: Find comment
@@ -70,6 +69,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: github.event.action == 'opened' || github.event.action == 'synchronize'
         with:
+          persist-credentials: false
           sparse-checkout-cone-mode: false # exclude root files
           sparse-checkout: docs
 
@@ -81,6 +81,7 @@ jobs:
           repository: "grafana/writers-toolkit"
           ref: "main"
           path: deploy-preview-files
+          persist-credentials: false
           sparse-checkout: |
             deploy-preview
 
@@ -89,11 +90,13 @@ jobs:
       - name: Keep only necessary files
         if: github.event.action == 'opened' || github.event.action == 'synchronize'
         shell: bash
+        env:
+          SOURCE_DIRECTORY: ${{ inputs.source_directory }}
         run: |
           shopt -s extglob
           rm -rf !(docs|deploy-preview-files|.git)
           ls -al
-          ls -al ${{ inputs.source_directory }}
+          ls -al "${SOURCE_DIRECTORY}"
           ls -al deploy-preview-files
 
       - name: Build website
@@ -110,8 +113,10 @@ jobs:
       - name: Print build header value
         if: github.event.action == 'opened' || github.event.action == 'synchronize'
         shell: bash
+        env:
+          SHA: ${{ inputs.sha }}
         run: |
-          printf "%s" "add_header 'Build' '"${{ inputs.sha }}"';" > build.conf
+          printf "%s" "add_header 'Build' '"${SHA}"';" > build.conf
 
       - uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
         if: github.event.action == 'opened' || github.event.action == 'synchronize'
@@ -144,6 +149,7 @@ jobs:
         if: github.event.action == 'opened' || github.event.action == 'synchronize'
         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
         with:
+          cache-binary: false
           driver: docker-container
 
       - name: Build the container
@@ -181,8 +187,11 @@ jobs:
 
       - name: Delete deploy preview
         if: github.event.action == 'closed'
+        env:
+          REPO: ${{ inputs.repo }}
+          EVENT_NUMBER: ${{ inputs.event_number }}
         run: |
-          SERVICE_NAME=deploy-preview-${{ inputs.repo }}-${{ inputs.event_number }}
+          SERVICE_NAME="deploy-preview-${REPO}-${EVENT_NUMBER}"
           if gcloud run services describe $SERVICE_NAME --region=${{ env.CLOUD_RUN_REGION }} --project=grafanalabs-dev > /dev/null 2>&1; then
             gcloud run services delete $SERVICE_NAME --region=${{ env.CLOUD_RUN_REGION }} --project=grafanalabs-dev --quiet
           else

diff --git a/.github/workflows/dictionaries.yml b/.github/workflows/dictionaries.yml
@@ -1,26 +1,22 @@
 name: Rebuild the dictionaries on a branch
 on:
   workflow_dispatch:
-    inputs:
-      trace:
-        default: false
-        description: Print command traces?
-        required: false
-        type: boolean
 jobs:
   main:
     if: ${{ github.repository == 'grafana/writers-toolkit' }}
     container:
       image: bitnami/jsonnet@sha256:3d8b084da1b74f5d38bc35e1ebf02f4a57c0410ec59d4edbc25dd2fec5f5541c
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - working-directory: vale/dictionaries
         run: |
           set -euf -o pipefail
 
-          if ${{ inputs.trace }}; then
+          if [[ -n "${RUNNER_DEBUG+x}" ]]; then
             set -x
           fi
 

diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml
@@ -5,20 +5,22 @@ on:
     branches:
       - main
   workflow_dispatch:
-permissions:
-  contents: read
-  id-token: write
 
 jobs:
   build:
     if: ${{ github.repository == 'grafana/writers-toolkit' }}
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - id: push-to-dockerhub
-        uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main
+        uses: grafana/shared-workflows/actions/build-push-to-dockerhub@45747d11c20341064eab8c186e00a46d20ba4e73 # build-push-to-dockerhub-v0.1.0
         with:
           context: vale
           platforms: linux/amd64,linux/arm64

diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
@@ -1,18 +1,11 @@
 name: Run `prettier` on a branch
 on:
   workflow_dispatch:
-    inputs:
-      trace:
-        default: false
-        description: Print command traces?
-        required: false
-        type: boolean
 jobs:
   prettier:
     if: ${{ github.repository == 'grafana/writers-toolkit' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: grafana/writers-toolkit/prettier@main
+      - uses: grafana/writers-toolkit/prettier@62fe122eb653707d1c49bc0e41cf4b9704c9064b # prettier/v2.0.0 
         with:
           branch: ${{ env.GITHUB_REF }}
-          trace: ${{ inputs.trace }}
diff --git a/.github/workflows/publish-technical-documentation.yml b/.github/workflows/publish-technical-documentation.yml
@@ -15,7 +15,9 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ./publish-technical-documentation
         with:
           website_directory: content/docs/writers-toolkit
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -9,10 +9,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: 1.21
 
@@ -24,7 +26,7 @@ jobs:
         run: ./tools/review ./docs/sources | head -n 3 > .to-review.txt
 
       - name: Create issues
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const fs = require('fs')

diff --git a/.github/workflows/test-publish-technical-documentation-release.yml b/.github/workflows/test-publish-technical-documentation-release.yml
@@ -22,9 +22,10 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: ./publish-technical-documentation-release
         with:
           release_tag_regexp: "^test/publish-technical-documentation-release/v(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)\\.(0|[1-9][0-9]*)$"

diff --git a/.github/workflows/vale.yml b/.github/workflows/vale.yml
@@ -9,7 +9,7 @@ jobs:
     container:
       image: grafana/vale:latest
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           # Not a separate file because then it doesn't have to wait for a checkout to be run.
           script: |
@@ -19,16 +19,19 @@ jobs:
               comment_id: context.payload.comment.id,
               content: 'eyes',
             });
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           ref: refs/pull/${{ github.event.issue.number }}/head
-      - uses: actions/github-script@v7
+
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         id: from-comment
         with:
           script: |
             const script = require('./.github/workflows/from-comment.js');
 
             await script({ core, context, github });
+
       - name: Run linter
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}