Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[StepSecurity] Apply security best practices #69

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

- package-ecosystem: docker
directory: /
schedule:
interval: daily
13 changes: 9 additions & 4 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,21 @@ jobs:
release-please:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Create release
id: release-please
uses: googleapis/[email protected]
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
with:
release-type: python
-
name: Dispatch Edge Build
if: always()
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: edge-build
Expand All @@ -34,7 +39,7 @@ jobs:
-
name: Dispatch Release Build
if: ${{ steps.release-please.outputs.release_created }}
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: release-build
Expand All @@ -48,7 +53,7 @@ jobs:
-
name: Dispatch PYPI Release
if: ${{ steps.release-please.outputs.release_created }}
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: shinybrar/skaha
event-type: pypi-release
Expand Down
24 changes: 17 additions & 7 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,23 @@ jobs:
pre-commit-checks:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Setup code repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 1
- name: Setup Python
uses: actions/[email protected]
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.12
-
name: pre-commit
uses: pre-commit/[email protected]
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

tests:
needs: pre-commit-checks
Expand All @@ -36,14 +41,19 @@ jobs:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Setup code repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 1
-
name: Setup uv
uses: astral-sh/[email protected]
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7
with:
enable-cache: true
-
Expand Down Expand Up @@ -75,7 +85,7 @@ jobs:
name: Upload coverage to Codecov
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
uses: codecov/[email protected]
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
with:
fail_ci_if_error: true # Fail the CI if an error occurs during the upload
token: ${{ env.CODECOV_TOKEN }}
Expand All @@ -84,6 +94,6 @@ jobs:
-
name: Upload test results to Codecov
if: ${{ !cancelled() }}
uses: codecov/test-results-action@v1
uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
16 changes: 12 additions & 4 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
# The branches below must be a subset of the branches above
branches: [ main ]

permissions:
contents: read

jobs:
analyze:
name: Analyze
Expand All @@ -35,12 +38,17 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support

steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
uses: github/codeql-action/init@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -51,7 +59,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
uses: github/codeql-action/autobuild@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -65,4 +73,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
uses: github/codeql-action/analyze@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
9 changes: 7 additions & 2 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,13 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: astral-sh/setup-uv@v3
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3.2.4
- run: |
uv python install
uv run mkdocs gh-deploy --force
22 changes: 15 additions & 7 deletions .github/workflows/edge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ env:
IMAGE_NAME: shinybrar/skaha
IMAGE_TAG: edge

permissions:
contents: read

jobs:
edge-build:
runs-on: ubuntu-latest
Expand All @@ -18,35 +21,40 @@ jobs:
attestations: write
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Client Payload
run: |
echo "Client Payload: ${{ toJson(github.event.client_payload) }}"
-
name: Checkout Code
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-
name: Setup Docker Buildx
uses: docker/[email protected]
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
install: true
-
name: Perform Dockerhub Login
uses: docker/[email protected]
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Perform GHCR Login
uses: docker/login-action@v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build & Push Docker Image
id: build
uses: docker/[email protected]
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
target: production
Expand All @@ -68,14 +76,14 @@ jobs:
${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-
name: Attest GHCR Container Image
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
-
name: Attest Dockerhub Container Image
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build.outputs.digest }}
Expand Down
18 changes: 13 additions & 5 deletions .github/workflows/pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ on:
repository_dispatch:
types: [pypi-release]

permissions:
contents: read

jobs:
pypi-release:
runs-on: ubuntu-latest
Expand All @@ -14,19 +17,24 @@ jobs:
name: pypi-release
url: https://pypi.org/p/skaha
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

-
name: Echo Build Dispatch
run: |
echo "Pypi Release Triggered"
echo "Event Payload: ${{ toJson(github.event.client_payload) }}"
-
name: Checkout Code
uses: actions/[email protected]
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
ref: ${{ github.event.client_payload.tag_name }}
-
name: Install uv
uses: astral-sh/[email protected]
uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7
with:
enable-cache: false
-
Expand All @@ -37,23 +45,23 @@ jobs:
run: uv build
-
name: Publish release distributions to PyPI
uses: pypa/[email protected]
uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3
with:
attestations: false
packages-dir: dist/
verbose: true
print-hash: true
-
name: Attestations for PYPI Wheel
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-path: |
dist/*.whl
subject-name: skaha-wheel
show-summary: true
-
name: Attestations for PYPI Source
uses: actions/attest-build-provenance@v1
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
subject-path: |
dist/*.tar.gz
Expand Down
Loading
Loading