Skip to content

Commit

Permalink
Hardened security?
Browse files Browse the repository at this point in the history
  • Loading branch information
credfeto committed Apr 7, 2024
1 parent 0b46dae commit 00116a2
Show file tree
Hide file tree
Showing 14 changed files with 404 additions and 2 deletions.
19 changes: 19 additions & 0 deletions .github/workflows/approve-dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,25 @@ jobs:
# Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.

steps:
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
#egress-policy: audit

- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/build-and-publish-pre-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/build-and-publish-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/create-prs-for-stale-branches.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,24 @@ jobs:
- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Rebase"
uses: bbeesley/[email protected]
env:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/dotnet-version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down
18 changes: 18 additions & 0 deletions .github/workflows/merge-dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,24 @@ jobs:
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Auto-Merge"
if: github.repository_owner == 'funfair-tech'
uses: pascalgn/[email protected]
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/on-pr-closed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,23 @@ jobs:
cleanup-cache:
runs-on: [self-hosted, linux]
steps:
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Install extensions"
run: gh extension install actions/gh-actions-cache
env:
Expand Down
139 changes: 138 additions & 1 deletion .github/workflows/pr-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down Expand Up @@ -204,6 +221,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand All @@ -229,6 +263,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand All @@ -246,6 +297,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand All @@ -263,6 +331,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand All @@ -281,7 +366,25 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- uses: credfeto/[email protected]
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Check repo visibility"
uses: credfeto/[email protected]
id: visibility
with:
# optional parameter defaults to the current repo
Expand Down Expand Up @@ -309,6 +412,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand All @@ -328,6 +448,23 @@ jobs:
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
Expand Down
Loading

0 comments on commit 00116a2

Please sign in to comment.