-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <[email protected]>
- Loading branch information
1 parent
69db789
commit 1596b88
Showing
12 changed files
with
141 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: github-actions | ||
directory: / | ||
schedule: | ||
interval: daily | ||
|
||
- package-ecosystem: docker | ||
directory: / | ||
schedule: | ||
interval: daily |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,16 +11,21 @@ jobs: | |
release-please: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- | ||
name: Create release | ||
id: release-please | ||
uses: googleapis/[email protected] | ||
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 | ||
with: | ||
release-type: python | ||
- | ||
name: Dispatch Edge Build | ||
if: always() | ||
uses: peter-evans/[email protected] | ||
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 | ||
with: | ||
repository: shinybrar/skaha | ||
event-type: edge-build | ||
|
@@ -34,7 +39,7 @@ jobs: | |
- | ||
name: Dispatch Release Build | ||
if: ${{ steps.release-please.outputs.release_created }} | ||
uses: peter-evans/[email protected] | ||
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 | ||
with: | ||
repository: shinybrar/skaha | ||
event-type: release-build | ||
|
@@ -48,7 +53,7 @@ jobs: | |
- | ||
name: Dispatch PYPI Release | ||
if: ${{ steps.release-please.outputs.release_created }} | ||
uses: peter-evans/[email protected] | ||
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 | ||
with: | ||
repository: shinybrar/skaha | ||
event-type: pypi-release | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,18 +14,23 @@ jobs: | |
pre-commit-checks: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- | ||
name: Setup code repository | ||
uses: actions/[email protected] | ||
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | ||
with: | ||
fetch-depth: 1 | ||
- name: Setup Python | ||
uses: actions/[email protected] | ||
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 | ||
with: | ||
python-version: 3.12 | ||
- | ||
name: pre-commit | ||
uses: pre-commit/[email protected] | ||
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 | ||
|
||
tests: | ||
needs: pre-commit-checks | ||
|
@@ -36,14 +41,19 @@ jobs: | |
os: [ubuntu-latest] | ||
runs-on: ${{ matrix.os }} | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- | ||
name: Setup code repository | ||
uses: actions/[email protected] | ||
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | ||
with: | ||
fetch-depth: 1 | ||
- | ||
name: Setup uv | ||
uses: astral-sh/[email protected] | ||
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7 | ||
with: | ||
enable-cache: true | ||
- | ||
|
@@ -75,7 +85,7 @@ jobs: | |
name: Upload coverage to Codecov | ||
env: | ||
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
uses: codecov/[email protected] | ||
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 | ||
with: | ||
fail_ci_if_error: true # Fail the CI if an error occurs during the upload | ||
token: ${{ env.CODECOV_TOKEN }} | ||
|
@@ -84,6 +94,6 @@ jobs: | |
- | ||
name: Upload test results to Codecov | ||
if: ${{ !cancelled() }} | ||
uses: codecov/test-results-action@v1 | ||
uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1 | ||
with: | ||
token: ${{ secrets.CODECOV_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,9 @@ on: | |
# The branches below must be a subset of the branches above | ||
branches: [ main ] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
|
@@ -35,12 +38,17 @@ jobs: | |
# Learn more about CodeQL language support at https://git.io/codeql-language-support | ||
|
||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout repository | ||
uses: actions/[email protected] | ||
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | ||
|
||
# Initializes the CodeQL tools for scanning. | ||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@v2 | ||
uses: github/codeql-action/init@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 | ||
with: | ||
languages: ${{ matrix.language }} | ||
# If you wish to specify custom queries, you can do so here or in a config file. | ||
|
@@ -51,7 +59,7 @@ jobs: | |
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | ||
# If this step fails, then you should remove it and run the build manually (see below) | ||
- name: Autobuild | ||
uses: github/codeql-action/autobuild@v2 | ||
uses: github/codeql-action/autobuild@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 | ||
|
||
# ℹ️ Command-line programs to run using the OS shell. | ||
# 📚 https://git.io/JvXDl | ||
|
@@ -65,4 +73,4 @@ jobs: | |
# make release | ||
|
||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v2 | ||
uses: github/codeql-action/analyze@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Dependency Review Action | ||
# | ||
# This Action will scan dependency manifest files that change as part of a Pull Request, | ||
# surfacing known-vulnerable versions of the packages declared or updated in the PR. | ||
# Once installed, if the workflow run is marked as required, | ||
# PRs introducing known-vulnerable packages will be blocked from merging. | ||
# | ||
# Source repository: https://github.com/actions/dependency-review-action | ||
name: 'Dependency Review' | ||
on: [pull_request] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
dependency-review: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: 'Checkout Repository' | ||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
- name: 'Dependency Review' | ||
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,9 @@ env: | |
IMAGE_NAME: shinybrar/skaha | ||
IMAGE_TAG: edge | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
edge-build: | ||
runs-on: ubuntu-latest | ||
|
@@ -18,35 +21,40 @@ jobs: | |
attestations: write | ||
id-token: write | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- | ||
name: Client Payload | ||
run: | | ||
echo "Client Payload: ${{ toJson(github.event.client_payload) }}" | ||
- | ||
name: Checkout Code | ||
uses: actions/[email protected] | ||
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | ||
- | ||
name: Setup Docker Buildx | ||
uses: docker/[email protected] | ||
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | ||
with: | ||
install: true | ||
- | ||
name: Perform Dockerhub Login | ||
uses: docker/[email protected] | ||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
- | ||
name: Perform GHCR Login | ||
uses: docker/login-action@v3 | ||
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
- | ||
name: Build & Push Docker Image | ||
id: build | ||
uses: docker/[email protected] | ||
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | ||
with: | ||
context: . | ||
target: production | ||
|
@@ -68,14 +76,14 @@ jobs: | |
${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | ||
- | ||
name: Attest GHCR Container Image | ||
uses: actions/attest-build-provenance@v1 | ||
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | ||
with: | ||
subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
subject-digest: ${{ steps.build.outputs.digest }} | ||
push-to-registry: true | ||
- | ||
name: Attest Dockerhub Container Image | ||
uses: actions/attest-build-provenance@v1 | ||
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | ||
with: | ||
subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }} | ||
subject-digest: ${{ steps.build.outputs.digest }} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,9 @@ on: | |
repository_dispatch: | ||
types: [pypi-release] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
pypi-release: | ||
runs-on: ubuntu-latest | ||
|
@@ -14,19 +17,24 @@ jobs: | |
name: pypi-release | ||
url: https://pypi.org/p/skaha | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | ||
with: | ||
egress-policy: audit | ||
|
||
- | ||
name: Echo Build Dispatch | ||
run: | | ||
echo "Pypi Release Triggered" | ||
echo "Event Payload: ${{ toJson(github.event.client_payload) }}" | ||
- | ||
name: Checkout Code | ||
uses: actions/[email protected] | ||
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | ||
with: | ||
ref: ${{ github.event.client_payload.tag_name }} | ||
- | ||
name: Install uv | ||
uses: astral-sh/[email protected] | ||
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7 | ||
with: | ||
enable-cache: false | ||
- | ||
|
@@ -37,23 +45,23 @@ jobs: | |
run: uv build | ||
- | ||
name: Publish release distributions to PyPI | ||
uses: pypa/[email protected] | ||
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 | ||
with: | ||
attestations: false | ||
packages-dir: dist/ | ||
verbose: true | ||
print-hash: true | ||
- | ||
name: Attestations for PYPI Wheel | ||
uses: actions/attest-build-provenance@v1 | ||
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | ||
with: | ||
subject-path: | | ||
dist/*.whl | ||
subject-name: skaha-wheel | ||
show-summary: true | ||
- | ||
name: Attestations for PYPI Source | ||
uses: actions/attest-build-provenance@v1 | ||
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | ||
with: | ||
subject-path: | | ||
dist/*.tar.gz | ||
|
Oops, something went wrong.