From 00116a255bacd7125232ec7d474e364d814c8d0a Mon Sep 17 00:00:00 2001 From: Mark Ridgwell Date: Sun, 7 Apr 2024 15:50:30 +0100 Subject: [PATCH] Hardened security? --- .github/workflows/approve-dependabot.yml | 19 +++ .../build-and-publish-pre-release.yml | 17 +++ .../workflows/build-and-publish-release.yml | 17 +++ .../create-prs-for-stale-branches.yml | 17 +++ .github/workflows/dependabot.yml | 18 +++ .github/workflows/dotnet-version.yml | 17 +++ .github/workflows/merge-dependabot.yml | 18 +++ .github/workflows/on-pr-closed.yml | 17 +++ .github/workflows/pr-lint.yml | 139 +++++++++++++++++- .github/workflows/pr-update.yml | 57 ++++++- .github/workflows/pull-request.yml | 17 +++ .github/workflows/reformat-sql.yml | 17 +++ .github/workflows/reformat-yaml.yml | 17 +++ .github/workflows/update-labels.yml | 19 +++ 14 files changed, 404 insertions(+), 2 deletions(-) diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml index 2eaaa2f5..e53a99db 100644 --- a/.github/workflows/approve-dependabot.yml +++ b/.github/workflows/approve-dependabot.yml @@ -28,6 +28,25 @@ jobs: # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly. steps: + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + #egress-policy: audit + - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" diff --git a/.github/workflows/build-and-publish-pre-release.yml b/.github/workflows/build-and-publish-pre-release.yml index 87a5fc9f..d7f7faee 100644 --- a/.github/workflows/build-and-publish-pre-release.yml +++ b/.github/workflows/build-and-publish-pre-release.yml @@ -30,6 +30,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/build-and-publish-release.yml b/.github/workflows/build-and-publish-release.yml index 440302a3..7812fabf 100644 --- a/.github/workflows/build-and-publish-release.yml +++ b/.github/workflows/build-and-publish-release.yml @@ -25,6 +25,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/create-prs-for-stale-branches.yml b/.github/workflows/create-prs-for-stale-branches.yml index c87466e1..954a7696 100644 --- a/.github/workflows/create-prs-for-stale-branches.yml +++ b/.github/workflows/create-prs-for-stale-branches.yml @@ -70,6 +70,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 5e0a6ec3..7725b762 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -20,6 +20,24 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Rebase" uses: bbeesley/gha-auto-dependabot-rebase@v1.3.345 env: diff --git a/.github/workflows/dotnet-version.yml b/.github/workflows/dotnet-version.yml index 078c6e39..4f8cedb1 100644 --- a/.github/workflows/dotnet-version.yml +++ b/.github/workflows/dotnet-version.yml @@ -26,6 +26,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/merge-dependabot.yml b/.github/workflows/merge-dependabot.yml index a14c544a..9911a6d3 100644 --- a/.github/workflows/merge-dependabot.yml +++ b/.github/workflows/merge-dependabot.yml @@ -44,6 +44,24 @@ jobs: with: script: | core.info('Owner: ${{github.repository_owner}}'); + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Auto-Merge" if: github.repository_owner == 'funfair-tech' uses: pascalgn/automerge-action@v0.16.2 diff --git a/.github/workflows/on-pr-closed.yml b/.github/workflows/on-pr-closed.yml index e1fda8ae..0beddbb5 100644 --- a/.github/workflows/on-pr-closed.yml +++ b/.github/workflows/on-pr-closed.yml @@ -9,6 +9,23 @@ jobs: cleanup-cache: runs-on: [self-hosted, linux] steps: + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Install extensions" run: gh extension install actions/gh-actions-cache env: diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 971ce8d6..85e65139 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -90,6 +90,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -204,6 +221,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -229,6 +263,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -246,6 +297,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -263,6 +331,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -281,7 +366,25 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - - uses: credfeto/action-repo-visibility@v1.2.0 + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + - name: "Check repo visibility" + uses: credfeto/action-repo-visibility@v1.2.0 id: visibility with: # optional parameter defaults to the current repo @@ -309,6 +412,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: @@ -328,6 +448,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 09533119..a9b7744d 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -23,6 +23,24 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Info" uses: actions/github-script@v7.0.1 with: @@ -45,7 +63,26 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - - uses: actions/labeler@v5 + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + - name: "Add Labels" + uses: actions/labeler@v5 with: repo-token: ${{secrets.SOURCE_PUSH_TOKEN}} configuration-path: .github/labeler.yml @@ -62,6 +99,24 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Assign PR to the creator" uses: thomaseizinger/assign-pr-creator-action@v1.0.0 with: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 6b200317..4b3b81cf 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -50,6 +50,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/reformat-sql.yml b/.github/workflows/reformat-sql.yml index fc9a1ad7..199b58df 100644 --- a/.github/workflows/reformat-sql.yml +++ b/.github/workflows/reformat-sql.yml @@ -32,6 +32,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/reformat-yaml.yml b/.github/workflows/reformat-yaml.yml index 125f616e..c34d5936 100644 --- a/.github/workflows/reformat-yaml.yml +++ b/.github/workflows/reformat-yaml.yml @@ -33,6 +33,23 @@ jobs: shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml index f5e180f7..84a0b1b1 100644 --- a/.github/workflows/update-labels.yml +++ b/.github/workflows/update-labels.yml @@ -21,12 +21,31 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + - name: "Checkout Source" uses: actions/checkout@v4.1.1 with: fetch-depth: 0 fetch-tags: true token: ${{secrets.SOURCE_PUSH_TOKEN}} + - name: "Update Github label config" if: success() uses: crazy-max/ghaction-github-labeler@v5.0.0