Skip to content

Commit 54b7f22

Browse files
authored
Merge pull request #39 from step-security-bot/chore/GHA-210804-stepsecurity-remediation
[StepSecurity] Apply security best practices
2 parents 16c3500 + c979328 commit 54b7f22

File tree

6 files changed

+254
-17
lines changed

6 files changed

+254
-17
lines changed

.github/dependabot.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: github-actions
4+
directory: /
5+
schedule:
6+
interval: daily
7+
8+
- package-ecosystem: npm
9+
directory: /
10+
schedule:
11+
interval: daily

.github/workflows/codeql.yml

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# For most projects, this workflow file will not need changing; you simply need
2+
# to commit it to your repository.
3+
#
4+
# You may wish to alter this file to override the set of languages analyzed,
5+
# or to provide custom queries or build logic.
6+
#
7+
# ******** NOTE ********
8+
# We have attempted to detect the languages in your repository. Please check
9+
# the `language` matrix defined below to confirm you have the correct set of
10+
# supported CodeQL languages.
11+
#
12+
name: "CodeQL"
13+
14+
on:
15+
push:
16+
branches: ["main"]
17+
pull_request:
18+
# The branches below must be a subset of the branches above
19+
branches: ["main"]
20+
schedule:
21+
- cron: "0 0 * * 1"
22+
23+
permissions:
24+
contents: read
25+
26+
jobs:
27+
analyze:
28+
name: Analyze
29+
runs-on: ubuntu-latest
30+
permissions:
31+
actions: read
32+
contents: read
33+
security-events: write
34+
35+
strategy:
36+
fail-fast: false
37+
matrix:
38+
language: ["javascript"]
39+
# CodeQL supports [ $supported-codeql-languages ]
40+
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
41+
42+
steps:
43+
- name: Harden the runner (Audit all outbound calls)
44+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
45+
with:
46+
egress-policy: audit
47+
48+
- name: Checkout repository
49+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
50+
51+
# Initializes the CodeQL tools for scanning.
52+
- name: Initialize CodeQL
53+
uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
54+
with:
55+
languages: ${{ matrix.language }}
56+
# If you wish to specify custom queries, you can do so here or in a config file.
57+
# By default, queries listed here will override any specified in a config file.
58+
# Prefix the list here with "+" to use these queries and those in the config file.
59+
60+
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
61+
# If this step fails, then you should remove it and run the build manually (see below)
62+
- name: Autobuild
63+
uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
64+
65+
# ℹ️ Command-line programs to run using the OS shell.
66+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
67+
68+
# If the Autobuild fails above, remove it and uncomment the following three lines.
69+
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
70+
71+
# - run: |
72+
# echo "Run, Build Application using script"
73+
# ./location_of_script_within_repo/buildscript.sh
74+
75+
- name: Perform CodeQL Analysis
76+
uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
77+
with:
78+
category: "/language:${{matrix.language}}"

.github/workflows/debug.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,12 @@ jobs:
44
issue_245:
55
runs-on: ubuntu-latest
66
steps:
7-
- uses: actions/checkout@v4
7+
- name: Harden the runner (Audit all outbound calls)
8+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
9+
with:
10+
egress-policy: audit
11+
12+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
813
with:
914
ref: debug
1015
- run: npm ci
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Dependency Review Action
2+
#
3+
# This Action will scan dependency manifest files that change as part of a Pull Request,
4+
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+
# Once installed, if the workflow run is marked as required,
6+
# PRs introducing known-vulnerable packages will be blocked from merging.
7+
#
8+
# Source repository: https://github.com/actions/dependency-review-action
9+
name: 'Dependency Review'
10+
on: [pull_request]
11+
12+
permissions:
13+
contents: read
14+
15+
jobs:
16+
dependency-review:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Harden the runner (Audit all outbound calls)
20+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
21+
with:
22+
egress-policy: audit
23+
24+
- name: 'Checkout Repository'
25+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
26+
- name: 'Dependency Review'
27+
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1

.github/workflows/scorecards.yml

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
# This workflow uses actions that are not certified by GitHub. They are provided
2+
# by a third-party and are governed by separate terms of service, privacy
3+
# policy, and support documentation.
4+
5+
name: Scorecard supply-chain security
6+
on:
7+
# For Branch-Protection check. Only the default branch is supported. See
8+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
9+
branch_protection_rule:
10+
# To guarantee Maintained check is occasionally updated. See
11+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
12+
schedule:
13+
- cron: '20 7 * * 2'
14+
push:
15+
branches: ["main"]
16+
17+
# Declare default permissions as read only.
18+
permissions: read-all
19+
20+
jobs:
21+
analysis:
22+
name: Scorecard analysis
23+
runs-on: ubuntu-latest
24+
permissions:
25+
# Needed to upload the results to code-scanning dashboard.
26+
security-events: write
27+
# Needed to publish results and get a badge (see publish_results below).
28+
id-token: write
29+
contents: read
30+
actions: read
31+
# To allow GraphQL ListCommits to work
32+
issues: read
33+
pull-requests: read
34+
# To detect SAST tools
35+
checks: read
36+
37+
steps:
38+
- name: Harden the runner (Audit all outbound calls)
39+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
40+
with:
41+
egress-policy: audit
42+
43+
- name: "Checkout code"
44+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
45+
with:
46+
persist-credentials: false
47+
48+
- name: "Run analysis"
49+
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
50+
with:
51+
results_file: results.sarif
52+
results_format: sarif
53+
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
54+
# - you want to enable the Branch-Protection check on a *public* repository, or
55+
# - you are installing Scorecards on a *private* repository
56+
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
57+
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
58+
59+
# Public repositories:
60+
# - Publish results to OpenSSF REST API for easy access by consumers
61+
# - Allows the repository to include the Scorecard badge.
62+
# - See https://github.com/ossf/scorecard-action#publishing-results.
63+
# For private repositories:
64+
# - `publish_results` will always be set to `false`, regardless
65+
# of the value entered here.
66+
publish_results: true
67+
68+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
69+
# format to the repository Actions tab.
70+
- name: "Upload artifact"
71+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
72+
with:
73+
name: SARIF file
74+
path: results.sarif
75+
retention-days: 5
76+
77+
# Upload the results to GitHub's code scanning dashboard.
78+
- name: "Upload to code-scanning"
79+
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
80+
with:
81+
sarif_file: results.sarif

.github/workflows/test.yml

Lines changed: 51 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,15 @@ jobs:
1313
name: "[TEST] Update existing pull request"
1414
runs-on: ubuntu-latest
1515
steps:
16-
- uses: actions/checkout@v4
16+
- name: Harden the runner (Audit all outbound calls)
17+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
18+
with:
19+
egress-policy: audit
20+
21+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1722
with:
1823
persist-credentials: false
19-
- uses: actions/setup-node@v4
24+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2025
with:
2126
node-version: 20
2227
cache: npm
@@ -43,10 +48,15 @@ jobs:
4348
name: "[TEST] Create new pull request"
4449
runs-on: ubuntu-latest
4550
steps:
46-
- uses: actions/checkout@v4
51+
- name: Harden the runner (Audit all outbound calls)
52+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
53+
with:
54+
egress-policy: audit
55+
56+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
4757
with:
4858
persist-credentials: false
49-
- uses: actions/setup-node@v4
59+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
5060
with:
5161
node-version: 20
5262
cache: npm
@@ -85,10 +95,15 @@ jobs:
8595
name: "[TEST] Create multiple commits"
8696
runs-on: ubuntu-latest
8797
steps:
88-
- uses: actions/checkout@v4
98+
- name: Harden the runner (Audit all outbound calls)
99+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
100+
with:
101+
egress-policy: audit
102+
103+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
89104
with:
90105
persist-credentials: false
91-
- uses: actions/setup-node@v4
106+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
92107
with:
93108
node-version: 20
94109
cache: npm
@@ -142,10 +157,15 @@ jobs:
142157
name: "[TEST] Auto merge"
143158
runs-on: ubuntu-latest
144159
steps:
145-
- uses: actions/checkout@v4
160+
- name: Harden the runner (Audit all outbound calls)
161+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
162+
with:
163+
egress-policy: audit
164+
165+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
146166
with:
147167
persist-credentials: false
148-
- uses: actions/setup-node@v4
168+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
149169
with:
150170
node-version: 20
151171
cache: npm
@@ -171,10 +191,15 @@ jobs:
171191
name: "[TEST] Create or update pull request for hidden file"
172192
runs-on: ubuntu-latest
173193
steps:
174-
- uses: actions/checkout@v4
194+
- name: Harden the runner (Audit all outbound calls)
195+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
196+
with:
197+
egress-policy: audit
198+
199+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
175200
with:
176201
persist-credentials: false
177-
- uses: actions/setup-node@v4
202+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
178203
with:
179204
node-version: 20
180205
cache: npm
@@ -191,10 +216,15 @@ jobs:
191216
name: "[TEST] Update PR title and body"
192217
runs-on: ubuntu-latest
193218
steps:
194-
- uses: actions/checkout@v4
219+
- name: Harden the runner (Audit all outbound calls)
220+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
221+
with:
222+
egress-policy: audit
223+
224+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
195225
with:
196226
persist-credentials: false
197-
- uses: actions/setup-node@v4
227+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
198228
with:
199229
node-version: 20
200230
cache: npm
@@ -234,7 +264,7 @@ jobs:
234264
branch: test-update-pr-title-and-body-${{ github.run_number }}
235265
commit-message: Just testing [skip ci]
236266
update-pull-request-title-and-body: true
237-
- uses: octokit/[email protected]
267+
- uses: octokit/request-action@05a2312de9f8207044c4c9e41fe19703986acc13 # v2.x
238268
id: get-pull-request
239269
with:
240270
route: GET /repos/{owner}/{repo}/pulls/{pull_number}
@@ -260,10 +290,15 @@ jobs:
260290
name: "[TEST] Add Reviewers"
261291
runs-on: ubuntu-latest
262292
steps:
263-
- uses: actions/checkout@v4
293+
- name: Harden the runner (Audit all outbound calls)
294+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
295+
with:
296+
egress-policy: audit
297+
298+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
264299
with:
265300
persist-credentials: false
266-
- uses: actions/setup-node@v4
301+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
267302
with:
268303
node-version: 20
269304
cache: npm
@@ -281,7 +316,7 @@ jobs:
281316
branch: test-add-reviewers-${{ github.run_number }}
282317
commit-message: Just testing [skip ci]
283318
reviewers: amanstep
284-
- uses: octokit/[email protected]
319+
- uses: octokit/request-action@05a2312de9f8207044c4c9e41fe19703986acc13 # v2.x
285320
id: get-pull-request
286321
with:
287322
route: GET /repos/{owner}/{repo}/pulls/{pull_number}

0 commit comments

Comments
 (0)