From 46dcfd98efc740baab01b6c1c6f10ef27dcdd961 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 24 Jan 2024 14:05:22 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/codeql-analysis.yml | 15 +++++++++++---- .github/workflows/label.yml | 5 ++++- .github/workflows/lint.yml | 6 +++--- .github/workflows/release.yml | 14 ++++++++++++-- .github/workflows/test.yml | 4 ++-- Dockerfile | 6 +++--- 6 files changed, 35 insertions(+), 15 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ce0e443dc..50be0cfb3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,8 +21,15 @@ on: schedule: - cron: '42 18 * * 0' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-20.04 @@ -36,11 +43,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -51,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -65,4 +72,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@4759df8df70c5ebe7042c3029bbace20eee13edd # v2.23.1 diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 12fc3293c..522573094 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -4,6 +4,9 @@ on: types: [ opened ] branches: [ main ] +permissions: + contents: read + jobs: label: permissions: @@ -11,6 +14,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cc2b79b92..aefc3059a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,12 +13,12 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v3 + - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.19 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest args: --verbose --max-same-issues=0 --max-issues-per-linter=0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ca52ab73c..57673b2af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,12 +3,22 @@ on: push: branches: - main +permissions: + contents: read + jobs: semantic-release: + permissions: + contents: write # for codfish/semantic-release-action to create release tags runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: codfish/semantic-release-action@v2 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: codfish/semantic-release-action@3607258ae5976084750909dbda50a850cb76ec3a # v2.2.1 id: semantic env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e82561596..899c0d07e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Install Go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.20.x - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Test run: go test ./... diff --git a/Dockerfile b/Dockerfile index a391e6168..effca1afd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.3.1-labs -FROM --platform=linux/amd64 golang:1.19-alpine AS build +FROM --platform=linux/amd64 golang:1.19-alpine@sha256:0ec0646e208ea58e5d29e558e39f2e59fccf39b7bda306cb53bbaff91919eca5 AS build ARG TARGETOS ARG TARGETARCH @@ -38,7 +38,7 @@ COPY --from=build /bin/gomplate_${TARGETOS}-${TARGETARCH}${TARGETVARIANT} /gompl ENTRYPOINT [ "/gomplate" ] -FROM alpine:3.16 AS gomplate-alpine +FROM alpine:3.16@sha256:e4cdb7d47b06ba0a062ad2a97a7d154967c8f83934594d9f2bd3efa89292996b AS gomplate-alpine ARG VCS_REF ARG TARGETOS @@ -53,7 +53,7 @@ COPY --from=build /bin/gomplate_${TARGETOS}-${TARGETARCH}${TARGETVARIANT} /bin/g ENTRYPOINT [ "/bin/gomplate" ] -FROM --platform=windows/amd64 mcr.microsoft.com/windows/nanoserver:2009 AS gomplate-windows +FROM --platform=windows/amd64 mcr.microsoft.com/windows/nanoserver:2009@sha256:70ad3c3f156b1002a6a642d3c3b769264f9ca166f57eab62051f59c0dbe20a0f AS gomplate-windows ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT