Skip to content

Commit

Permalink
Merge pull request #702 from step-security-bot/stepsecurity_remediati…
Browse files Browse the repository at this point in the history
…on_1702935591

[StepSecurity] ci: Harden GitHub Actions
  • Loading branch information
biow0lf authored Dec 18, 2023
2 parents 9b16c43 + 156917e commit 528310d
Show file tree
Hide file tree
Showing 11 changed files with 33 additions and 9 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/brakeman.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
brakeman:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/bundler-audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
bundler-audit:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ jobs:
- name: "Checkout Repository"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: "Dependency Review"
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4
15 changes: 9 additions & 6 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,33 +9,36 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0
with:
images: biow0lf/evemonk-pg-extras

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0

- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0

- name: Build and push
id: docker_build
uses: docker/build-push-action@v5
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
with:
pull: true
push: true
Expand All @@ -49,7 +52,7 @@ jobs:
run: echo ${{ steps.docker_build.outputs.digest }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
with:
image-ref: "docker.io/biow0lf/evemonk-pg-extras:main"
format: "table"
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/fasterer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
fasterer:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/hadolint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ jobs:

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: hadolint/[email protected]
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
3 changes: 3 additions & 0 deletions .github/workflows/license_finder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
license_finder:
runs-on: ubuntu-latest
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mdl.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ jobs:

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: bewuethr/[email protected]
- uses: bewuethr/mdl-action@0d8e72b8dc605e02a94a4f00f93f13f26cf0e265 # v1.1.2
3 changes: 3 additions & 0 deletions .github/workflows/rspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ env:
SECRET_KEY_BASE: "919650e468e29e897a53ef239b6e0228f8b71ec6ed353b691d140945e98d0c6a63731811afc27b61b9094523740962499afabc6d7ad0c872f1d5b62472083a08"
CI: "yes"

permissions:
contents: read

jobs:
rspec:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
rubocop:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/standard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
schedule:
- cron: "0 21 * * 6"

permissions:
contents: read

jobs:
standard:
runs-on: ubuntu-latest
Expand Down

0 comments on commit 528310d

Please sign in to comment.