Merge pull request #1488 from nscuro/backport-gha-hardening

Backport: GitHub Actions hardening

Author: nscuro

.github/dependabot.yml

@@ -5,14 +5,20 @@ updates:
   directory: /
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
 - package-ecosystem: docker
   directory: /docker
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
 - package-ecosystem: github-actions
   directory: /
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
 # Receive minor and patch updates on latest release branch.
 # Ignore minor releases for NPM since they may ship breaking
 # changes, and we don't have the test coverage in place to
@@ -22,6 +28,8 @@ updates:
   directory: /
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
   ignore:
   - dependency-name: "*"
     update-types:
@@ -32,6 +40,8 @@ updates:
   directory: /docker
   schedule:
     interval: daily
+  cooldown:
+    default-days: 7
   ignore:
   - dependency-name: "*"
     update-types:

.github/workflows/_meta-build.yaml

@@ -1,3 +1,5 @@
+permissions: {}
+
 on:
   workflow_call:
     inputs:
@@ -27,10 +29,12 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up NodeJs
-        uses: actions/setup-node@v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # tag=v6.3.0
         with:
           node-version: '20'
           cache: 'npm'
@@ -43,7 +47,7 @@ jobs:
           npm run build --if-present
 
       - name: Upload Artifacts
-        uses: actions/upload-artifact@v7.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7.0.0
         with:
           name: assembled-frontend
           path: |-
@@ -57,24 +61,26 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
         with:
           name: assembled-frontend
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # tag=v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4.0.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4.0.0
         id: buildx
         with:
           install: true
 
       - name: Login to Docker.io
-        uses: docker/login-action@v4.0.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # tag=v4.0.0
         if: ${{ inputs.publish-container }}
         with:
           registry: docker.io
@@ -83,23 +89,25 @@ jobs:
 
       - name: Set Container Tags
         id: tags
+        env:
+          REF_NAME: ${{ inputs.ref-name }}
+          APP_VERSION: ${{ inputs.app-version }}
         run: |-
           IMAGE_NAME="docker.io/dependencytrack/frontend"
-          REF_NAME="${{ inputs.ref-name }}"
           TAGS=""
 
           if [[ $REF_NAME == feature-* ]]; then
             TAGS="${IMAGE_NAME}:${REF_NAME,,}"
           else
-            TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
-            if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
+            TAGS="${IMAGE_NAME}:${APP_VERSION}"
+            if [[ "${APP_VERSION}" != "snapshot" ]]; then
               TAGS="${TAGS},${IMAGE_NAME}:latest"
             fi
           fi
           echo "tags=${TAGS}" >> $GITHUB_OUTPUT
 
       - name: Build multi-arch Container Image
-        uses: docker/build-push-action@v7.0.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # tag=v7.0.0
         with:
           tags: ${{ steps.tags.outputs.tags }}
           build-args: |-
@@ -109,23 +117,3 @@ jobs:
           push: ${{ inputs.publish-container }}
           context: .
           file: docker/Dockerfile.alpine
-
-      - name: Run Trivy Vulnerability Scanner
-        if: ${{ inputs.publish-container }}
-        uses: aquasecurity/trivy-action@0.34.2
-        env:
-          # https://github.com/aquasecurity/trivy-action/issues/389
-          TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
-          TRIVY_JAVA_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-java-db:1'
-        with:
-          image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          ignore-unfixed: true
-          vuln-type: 'os'
-
-      - name: Upload Trivy Scan Results to GitHub Security Tab
-        if: ${{ inputs.publish-container }}
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: 'trivy-results.sarif'

.github/workflows/ci-build.yaml

@@ -11,6 +11,8 @@ on:
       - 'feature-**' # Feature branches
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   call-build:
     uses: ./.github/workflows/_meta-build.yaml

.github/workflows/ci-publish.yaml

@@ -3,9 +3,11 @@ name: Publish CI
 on:
   release:
     types:
-      - released
+      - created
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   read-version:
     runs-on: ubuntu-latest
@@ -20,7 +22,9 @@ jobs:
           fi
 
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Parse Version from package.json
         id: parse
@@ -42,15 +46,19 @@ jobs:
 
   update-github-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to edit release.
     needs:
       - read-version
       - call-build
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Download Artifacts
-        uses: actions/download-artifact@v8.0.0
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # tag=v8.0.0
         with:
           name: assembled-frontend
 
@@ -67,22 +75,31 @@ jobs:
 
       - name: Update Release
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ needs.read-version.outputs.version }}
         run: |-
           cat << EOF >> .github/default-release-notes.md
           \`\`\`text
           $(cat checksums.txt)
           \`\`\`
           EOF
 
-          gh release view ${{ needs.read-version.outputs.version }} \
+          gh release view "${RELEASE_VERSION}" \
             --json body --jq .body >> .github/default-release-notes.md
 
-          gh release edit ${{ needs.read-version.outputs.version }} \
+          gh release edit "${RELEASE_VERSION}" \
             --notes-file ".github/default-release-notes.md"
 
-          gh release upload ${{ needs.read-version.outputs.version }} \
+          gh release upload "${RELEASE_VERSION}" \
             --clobber \
             frontend-dist.zip \
             checksums.txt \
             bom.xml bom.json
+
+      - name: Publish Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ needs.read-version.outputs.version }}
+        run: |-
+          gh release edit "${RELEASE_VERSION}" \
+            --draft=false

.github/workflows/ci-release.yaml

@@ -16,40 +16,50 @@ on:
           - premajor
           - prerelease
 
+permissions: {}
+
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required to create commits.
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
 
       - name: Set up NodeJs
-        uses: actions/setup-node@v6.3.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # tag=v6.3.0
         with:
           node-version: '20'
           cache: 'npm'
 
       - name: Bump version and tag via NodeJS
+        env:
+          VERSION_TO_BUMP: ${{ github.event.inputs.version-to-bump }}
+          GIT_REF: ${{ github.ref }}
         run: |-
           git config user.name "dependencytrack-bot"
           git config user.email "106437498+dependencytrack-bot@users.noreply.github.com"
 
-          npm version ${{ github.event.inputs.version-to-bump }} -m "prepare-release: set version to %s"
+          npm version "${VERSION_TO_BUMP}" -m "prepare-release: set version to %s"
 
-          git push origin "HEAD:${{ github.ref }}"
+          git push origin "HEAD:${GIT_REF}"
 
       - name: Create GitHub Release
         env:
           GITHUB_TOKEN: ${{ secrets.BOT_RELEASE_TOKEN }}
-          GH_OPTS: ''
+          VERSION_TO_BUMP: ${{ github.event.inputs.version-to-bump }}
+          GIT_REF_NAME: ${{ github.ref_name }}
         run: |-
           VERSION=`jq -r '.version' package.json`
+          GH_OPTS=""
 
-          if [[ "${{ contains(github.event.inputs.version-to-bump, 'pre') }}" == "true" ]]; then
+          if [[ "${VERSION_TO_BUMP}" == *pre* ]]; then
             GH_OPTS="--prerelease"
           fi
 
           gh release create "${VERSION}" ${GH_OPTS} \
-            --target "${{ github.ref_name }}" \
+            --target "${GIT_REF_NAME}" \
             --title "${VERSION}" \
+            --draft \
             --generate-notes