[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @jaybuidl. Please merge the Pull Request to incorporate the requested changes. Please tag @jaybuidl on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Secure Dockerfiles

Pin image tags to digests in Dockerfiles. With the Docker v2 API release, it became possible to use digests in place of tags when pulling images or to use them in FROM lines in Dockerfiles.

• The Open Source Security Foundation (OpenSSF) Security Guide

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

---

PR-Codex overview

This PR updates the base Dockerfile and modifies the GitHub Actions workflow by changing the versions of several actions used in the CI/CD process, enhancing security and compatibility.

Detailed summary

• Updated FROM statement in services/bots/base/Dockerfile to use node:20-alpine.
• Changed harden-runner version to 91182cccc01eb5e619899d80e4e971d6181294a7.
• Updated setup-node action to 39370e3970a6d050c480ffad4ff0ed4d3fdee5af.
• Modified checkout action to 11bd71901bbe5b1630ceea73d27597364c9af683.
• Changed cache action version to 1bd1e32a3bdc45362d1e726936510720a7c30a57.
• Updated upload-artifact action to b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions versions in the workflow for improved security and functionality.
  • Specified a particular image digest for the Node.js base image in the Dockerfile for consistency in the build environment.
  • Added permissions for read access to contents in the workflow configuration.

[netlify]

✅ Deploy Preview for kleros-v2-testnet ready!

Name	Link
🔨 Latest commit	1fe55c7
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet/deploys/675ca3dccf05500009f966e0
😎 Deploy Preview	https://deploy-preview-1791--kleros-v2-testnet.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-university ready!

Name	Link
🔨 Latest commit	1fe55c7
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-university/deploys/675ca3dc796834000806d2d9
😎 Deploy Preview	https://deploy-preview-1791--kleros-v2-university.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

❌ Deploy Preview for kleros-v2-testnet-devtools failed. Why did it fail? →

Name	Link
🔨 Latest commit	1fe55c7
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet-devtools/deploys/675ca3dc2d044900082d14d1

[netlify]

✅ Deploy Preview for kleros-v2-neo ready!

Name	Link
🔨 Latest commit	1fe55c7
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-neo/deploys/675ca3dc935ac200084f173f
😎 Deploy Preview	https://deploy-preview-1791--kleros-v2-neo.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[coderabbitai]

Walkthrough

The changes in this pull request involve updates to a GitHub Actions workflow and a Dockerfile. In the .github/workflows/contracts-testing.yml file, several GitHub Actions have been updated to specific commit versions, and a permissions section has been added to grant read access to contents. The Dockerfile for a bot service has been modified to use a specific image digest for the Node.js base image, ensuring consistency in the build environment.

Changes

File Path	Change Summary
.github/workflows/contracts-testing.yml	- Added permissions: contents: read - Updated step-security/harden-runner to commit 91182cccc01eb5e619899d80e4e971d6181294a7 - Updated actions/setup-node to commit 39370e3970a6d050c480ffad4ff0ed4d3fdee5af - Updated actions/checkout to commit 11bd71901bbe5b1630ceea73d27597364c9af683 - Updated actions/cache to commit 1bd1e32a3bdc45362d1e726936510720a7c30a57 - Updated actions/upload-artifact to commit b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
services/bots/base/Dockerfile	- Changed base image from node:20-alpine to node:20-alpine@sha256:426f843809ae05f324883afceebaa2b9cab9cb697097dbb1a2a7a41c5701de72

Possibly related PRs

• [StepSecurity] ci: Harden GitHub Actions #1735: The main PR and this retrieved PR both involve updates to GitHub Actions workflows, specifically adding a permissions section and updating action versions, indicating a focus on security and proper access management in CI/CD processes.

🐰 In the garden where actions play,
New versions bloom, brightening the day.
With permissions set, the workflow's tight,
Docker's digest ensures builds are right.
Hops of joy in the code we weave,
Together we build, together we believe! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

.github/workflows/contracts-testing.yml (2)

Line range hint 64-66: Clean up commented code

Remove the commented out parent dependencies installation section if it's no longer needed. If it might be needed later, add a comment explaining why it's preserved.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

---

45-46: Fix trailing whitespace

Remove trailing whitespace from lines 45, 46, and 48 to maintain consistent formatting.

Also applies to: 48-48

🧰 Tools

🪛 yamllint (1.35.1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 69ff44d and 66d0acd.

📒 Files selected for processing (2)

• .github/workflows/contracts-testing.yml (3 hunks)
• services/bots/base/Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• services/bots/base/Dockerfile

🧰 Additional context used

🪛 yamllint (1.35.1)

.github/workflows/contracts-testing.yml

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

🔇 Additional comments (4)

.github/workflows/contracts-testing.yml (4)

Line range hint 13-14: LGTM! Good security practice with minimal permissions

The addition of explicit contents: read permission follows the principle of least privilege, which is a security best practice for GitHub Actions workflows.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

---

27-27: LGTM! Proper pinning of GitHub Actions

All GitHub Actions have been correctly pinned to specific commit hashes while maintaining version references in comments. This is a security best practice that prevents supply chain attacks through action version tampering.

Also applies to: 43-43, 47-47, 50-50, 81-81

---

Line range hint 27-39: LGTM! Comprehensive egress policy configuration

The harden-runner configuration includes:

• Disabled sudo access
• Blocked egress by default
• Explicit allowlist for required endpoints

This follows security best practices by implementing the principle of least privilege for network access.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

---

Line range hint 11-12: Consider restricting PR trigger branches

The workflow currently runs on PRs from any branch (branches: ["*"]). Consider restricting this to specific branches or adding pull_request_target with proper safeguards if you need to handle external contributions.

✅ Verification successful

Consider restricting PR trigger branches and enhancing security controls

The workflow has several security considerations that need attention:

• It runs on pull requests from any branch (branches: ["*"]), which could be a security risk
• However, it has proper security controls in place:
  • Uses permissions: contents: read to limit scope
  • Implements Harden Runner with strict egress policies
  • Has proper cache key versioning with CACHE_VERSION secret
  • Uses pinned action versions

Recommendations:

• Restrict PR triggers to specific trusted branches (e.g., branches: [master, dev])
• Keep the existing security controls as they provide good protection

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if there are any other workflow files that might handle external PRs
rg -l 'pull_request_target' .github/workflows/

Length of output: 46

---

Script:

#!/bin/bash
# Check all workflow files for PR triggers and their configurations
rg -A 5 'on:.*pull' .github/workflows/

Length of output: 40

---

Script:

#!/bin/bash
# Let's check the workflow file content directly
cat .github/workflows/contracts-testing.yml

Length of output: 2506

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

[codeclimate]

Code Climate has analyzed commit 1fe55c7 and detected 0 issues on this pull request.

View more on Code Climate.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

.github/workflows/contracts-testing.yml (1)

43-48: Clean up trailing spaces while maintaining secure configuration

The security improvements using commit hashes are excellent. However, there are some minor formatting issues to clean up.

-        node-version: 18.x   
+        node-version: 18.x

🧰 Tools

🪛 yamllint (1.35.1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 66d0acd and 1fe55c7.

📒 Files selected for processing (2)

• .github/workflows/contracts-testing.yml (3 hunks)
• services/bots/base/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• services/bots/base/Dockerfile

🧰 Additional context used

🪛 yamllint (1.35.1)

.github/workflows/contracts-testing.yml

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)

.github/workflows/contracts-testing.yml (5)

Line range hint 1-26: LGTM! Well-structured security enhancements

The changes follow security best practices by:

• Explicitly declaring minimal required permissions (contents: read)
• Properly scoping workflow triggers with paths-ignore

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

---

Line range hint 27-42: Excellent security hardening configuration!

The Harden Runner step is well configured with:

• Pinned action to specific commit hash
• Strict egress policy blocking all traffic by default
• Explicit allowlist of required endpoints

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 6 but found 4

(indentation)

---

Line range hint 49-60: LGTM! Secure caching configuration

The cache configuration is well-structured with:

• Pinned action to specific commit hash
• Proper cache key strategy using environment secret
• Appropriate restore-keys fallback

🧰 Tools

🪛 yamllint (1.35.1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)

---

81-84: LGTM! Secure artifact upload configuration

The upload-artifact action has been properly secured by pinning to a specific commit hash while maintaining the existing functionality.

🧰 Tools

🪛 yamllint (1.35.1)

[error] 82-82: trailing spaces

(trailing-spaces)

---

[error] 83-83: trailing spaces

(trailing-spaces)

---

Line range hint 1-84: Verify action commit hashes match stated versions

While the security improvements are excellent, let's verify that the commit hashes correspond to their stated versions.

✅ Verification successful

Action commit hashes match their stated versions

Based on the GitHub API responses, all actions are using valid releases that match their stated versions:

• step-security/[email protected] (released Sep 2024)
• actions/[email protected] (released Oct 2024)
• actions/[email protected] (released Oct 2024)
• actions/[email protected] (released Dec 2024)
• actions/[email protected] (released Oct 2024)

All actions are using recent, stable releases with proper version pinning through commit hashes.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the commit hashes match their stated versions
# For each action, we'll check the release tag associated with the commit

# Function to check commit against release
check_commit() {
    local owner=$1
    local repo=$2
    local commit=$3
    local version=$4
    
    echo "Checking $owner/$repo@$commit for version $version"
    gh api repos/$owner/$repo/commits/$commit/tags
}

# Check each action
check_commit "step-security" "harden-runner" "91182cccc01eb5e619899d80e4e971d6181294a7" "v2.10.1"
check_commit "actions" "setup-node" "39370e3970a6d050c480ffad4ff0ed4d3fdee5af" "v4.1.0"
check_commit "actions" "checkout" "11bd71901bbe5b1630ceea73d27597364c9af683" "v4.2.2"
check_commit "actions" "cache" "1bd1e32a3bdc45362d1e726936510720a7c30a57" "v4.2.0"
check_commit "actions" "upload-artifact" "b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882" "v4.4.3"

Length of output: 3763

---

Script:

#!/bin/bash
# Let's try a different approach using the GitHub API to get the release information directly

check_release() {
    local owner=$1
    local repo=$2
    local version=$3
    
    echo "Checking $owner/$repo release $version"
    gh api repos/$owner/$repo/releases/tags/$version
}

# Check each action's release
check_release "step-security" "harden-runner" "v2.10.1"
check_release "actions" "setup-node" "v4.1.0"
check_release "actions" "checkout" "v4.2.2"
check_release "actions" "cache" "v4.2.0"
check_release "actions" "upload-artifact" "v4.4.3"

Length of output: 13885

🧰 Tools

🪛 yamllint (1.35.1)

[error] 45-45: trailing spaces

(trailing-spaces)

---

[error] 46-46: trailing spaces

(trailing-spaces)

---

[error] 48-48: trailing spaces

(trailing-spaces)