Skip to content

Commit

Permalink
[StepSecurity] Apply security best practices
Browse files Browse the repository at this point in the history
Signed-off-by: StepSecurity Bot <[email protected]>
  • Loading branch information
step-security-bot committed Dec 9, 2024
1 parent 69db789 commit 1596b88
Show file tree
Hide file tree
Showing 12 changed files with 141 additions and 38 deletions.
11 changes: 11 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

- package-ecosystem: docker
directory: /
schedule:
interval: daily
13 changes: 9 additions & 4 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,21 @@ jobs:
release-please:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Create release
id: release-please
uses: googleapis/[email protected]
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
with:
release-type: python
-
name: Dispatch Edge Build
if: always()
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: edge-build
Expand All @@ -34,7 +39,7 @@ jobs:
-
name: Dispatch Release Build
if: ${{ steps.release-please.outputs.release_created }}
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: release-build
Expand All @@ -48,7 +53,7 @@ jobs:
-
name: Dispatch PYPI Release
if: ${{ steps.release-please.outputs.release_created }}
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: pypi-release
Expand Down
24 changes: 17 additions & 7 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,23 @@ jobs:
pre-commit-checks:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Setup code repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 1
- name: Setup Python
uses: actions/[email protected]
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.12
-
name: pre-commit
uses: pre-commit/[email protected]
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

tests:
needs: pre-commit-checks
Expand All @@ -36,14 +41,19 @@ jobs:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Setup code repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 1
-
name: Setup uv
uses: astral-sh/[email protected]
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7
with:
enable-cache: true
-
Expand Down Expand Up @@ -75,7 +85,7 @@ jobs:
name: Upload coverage to Codecov
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
uses: codecov/[email protected]
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
fail_ci_if_error: true # Fail the CI if an error occurs during the upload
token: ${{ env.CODECOV_TOKEN }}
Expand All @@ -84,6 +94,6 @@ jobs:
-
name: Upload test results to Codecov
if: ${{ !cancelled() }}
uses: codecov/test-results-action@v1
uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
16 changes: 12 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
# The branches below must be a subset of the branches above
branches: [ main ]

permissions:
contents: read

jobs:
analyze:
name: Analyze
Expand All @@ -35,12 +38,17 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -51,7 +59,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -65,4 +73,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
9 changes: 7 additions & 2 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,13 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: astral-sh/setup-uv@v3
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3.2.4
- run: |
uv python install
uv run mkdocs gh-deploy --force
22 changes: 15 additions & 7 deletions .github/workflows/edge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ env:
IMAGE_NAME: shinybrar/skaha
IMAGE_TAG: edge

permissions:
contents: read

jobs:
edge-build:
runs-on: ubuntu-latest
Expand All @@ -18,35 +21,40 @@ jobs:
attestations: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Client Payload
run: |
echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
-
name: Checkout Code
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-
name: Setup Docker Buildx
uses: docker/[email protected]
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
install: true
-
name: Perform Dockerhub Login
uses: docker/[email protected]
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Perform GHCR Login
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build & Push Docker Image
id: build
uses: docker/[email protected]
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
target: production
Expand All @@ -68,14 +76,14 @@ jobs:
${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-
name: Attest GHCR Container Image
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
-
name: Attest Dockerhub Container Image
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
Expand Down
18 changes: 13 additions & 5 deletions .github/workflows/pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
repository_dispatch:
types: [pypi-release]

permissions:
contents: read

jobs:
pypi-release:
runs-on: ubuntu-latest
Expand All @@ -14,19 +17,24 @@ jobs:
name: pypi-release
url: https://pypi.org/p/skaha
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Echo Build Dispatch
run: |
echo "Pypi Release Triggered"
echo "Event Payload: ${{ toJson(github.event.client_payload) }}"
-
name: Checkout Code
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
ref: ${{ github.event.client_payload.tag_name }}
-
name: Install uv
uses: astral-sh/[email protected]
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7
with:
enable-cache: false
-
Expand All @@ -37,23 +45,23 @@ jobs:
run: uv build
-
name: Publish release distributions to PyPI
uses: pypa/[email protected]
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
attestations: false
packages-dir: dist/
verbose: true
print-hash: true
-
name: Attestations for PYPI Wheel
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-path: |
dist/*.whl
subject-name: skaha-wheel
show-summary: true
-
name: Attestations for PYPI Source
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-path: |
dist/*.tar.gz
Expand Down
Loading

0 comments on commit 1596b88

Please sign in to comment.