From 156917e17472148bc00a7fdf08d999df3293b299 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 18 Dec 2023 21:39:53 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/brakeman.yml | 3 +++ .github/workflows/bundler-audit.yml | 3 +++ .github/workflows/dependency-review.yml | 2 +- .github/workflows/docker.yml | 15 +++++++++------ .github/workflows/fasterer.yml | 3 +++ .github/workflows/hadolint.yml | 2 +- .github/workflows/license_finder.yml | 3 +++ .github/workflows/mdl.yml | 2 +- .github/workflows/rspec.yml | 3 +++ .github/workflows/rubocop.yml | 3 +++ .github/workflows/standard.yml | 3 +++ 11 files changed, 33 insertions(+), 9 deletions(-) diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml index 3133c1ce..772d85b1 100644 --- a/.github/workflows/brakeman.yml +++ b/.github/workflows/brakeman.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: brakeman: runs-on: ubuntu-latest diff --git a/.github/workflows/bundler-audit.yml b/.github/workflows/bundler-audit.yml index 8d7fd106..62f4bb2a 100644 --- a/.github/workflows/bundler-audit.yml +++ b/.github/workflows/bundler-audit.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: bundler-audit: runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index dba94cd1..62ab7825 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,4 +15,4 @@ jobs: - name: "Checkout Repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: "Dependency Review" - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 049963c3..cccdbb43 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -9,6 +9,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -16,26 +19,26 @@ jobs: steps: - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e # v5.4.0 with: images: biow0lf/evemonk-pg-extras - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Build and push id: docker_build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: pull: true push: true @@ -49,7 +52,7 @@ jobs: run: echo ${{ steps.docker_build.outputs.digest }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master with: image-ref: "docker.io/biow0lf/evemonk-pg-extras:main" format: "table" diff --git a/.github/workflows/fasterer.yml b/.github/workflows/fasterer.yml index cba1f114..cb053173 100644 --- a/.github/workflows/fasterer.yml +++ b/.github/workflows/fasterer.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: fasterer: runs-on: ubuntu-latest diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index bb49f579..51c19f8b 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -16,4 +16,4 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 diff --git a/.github/workflows/license_finder.yml b/.github/workflows/license_finder.yml index ba04598d..5f74bb05 100644 --- a/.github/workflows/license_finder.yml +++ b/.github/workflows/license_finder.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: license_finder: runs-on: ubuntu-latest diff --git a/.github/workflows/mdl.yml b/.github/workflows/mdl.yml index f23ea23e..e2a581f7 100644 --- a/.github/workflows/mdl.yml +++ b/.github/workflows/mdl.yml @@ -16,4 +16,4 @@ jobs: steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: bewuethr/mdl-action@v1.1.2 + - uses: bewuethr/mdl-action@0d8e72b8dc605e02a94a4f00f93f13f26cf0e265 # v1.1.2 diff --git a/.github/workflows/rspec.yml b/.github/workflows/rspec.yml index 33515dc3..44e6dd7b 100644 --- a/.github/workflows/rspec.yml +++ b/.github/workflows/rspec.yml @@ -18,6 +18,9 @@ env: SECRET_KEY_BASE: "919650e468e29e897a53ef239b6e0228f8b71ec6ed353b691d140945e98d0c6a63731811afc27b61b9094523740962499afabc6d7ad0c872f1d5b62472083a08" CI: "yes" +permissions: + contents: read + jobs: rspec: runs-on: ubuntu-latest diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index 02585c46..fb8b888d 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: rubocop: runs-on: ubuntu-latest diff --git a/.github/workflows/standard.yml b/.github/workflows/standard.yml index 7ea21029..4a4facd7 100644 --- a/.github/workflows/standard.yml +++ b/.github/workflows/standard.yml @@ -10,6 +10,9 @@ on: schedule: - cron: "0 21 * * 6" +permissions: + contents: read + jobs: standard: runs-on: ubuntu-latest