Merge pull request #325 from boostorg/security-hardening

Author: Flamefire

.azure-pipelines.yml

@@ -1,7 +1,7 @@
 ---
 # Copyright 2015-2019 Rene Rivera.
 # Copyright 2019 Mateusz Loskot <mateusz at loskot dot net>
-# Copyright 2020-2024 Alexander Grund
+# Copyright 2020-2026 Alexander Grund
 # Distributed under the Boost Software License, Version 1.0.
 # (See accompanying file LICENSE_1_0.txt or copy at http://boost.org/LICENSE_1_0.txt)
 
@@ -137,7 +137,7 @@ stages:
             - bash: |
                 set -ex
 
-                for i in {1..$NET_RETRY_COUNT}; do
+                for ((i=1; i <= NET_RETRY_COUNT; i++)); do
                   git clone --depth 1 --branch master https://github.com/boostorg/boost-ci.git boost-ci-cloned && break || sleep 10
                 done
                 # Copy ci folder if not testing Boost.CI

.drone/drone.sh

@@ -11,7 +11,7 @@ export CC=${CC:-gcc}
 export PATH=~/.local/bin:/usr/local/bin:$PATH
 
 git clone https://github.com/boostorg/boost-ci.git boost-ci-cloned --depth 1
-[ "$(basename $DRONE_REPO)" == "boost-ci" ] || cp -prf boost-ci-cloned/ci .
+[[ "$(basename "$DRONE_REPO")" == "boost-ci" ]] || cp -prf boost-ci-cloned/ci .
 rm -rf boost-ci-cloned
 
 export BOOST_CI_TARGET_BRANCH="$DRONE_BRANCH"
@@ -33,6 +33,7 @@ if [[ $(uname) == "Linux" ]]; then
         error=1
     fi
     if ((error == 1)); then
+        # shellcheck disable=SC2016
         [[ "${DRONE_EXTRA_PRIVILEGED:-0}" == "True" ]] || echo 'Try passing `privileged=True` to the job in .drone.star'
         echo -e "\n"
     fi
@@ -46,6 +47,7 @@ scripts=(
 for script in "${scripts[@]}"; do
     if [ -e "$script" ]; then
         echo "==============================> RUN $script"
+        # shellcheck disable=SC1090
         source "$script"
         set +x
     fi
@@ -56,26 +58,28 @@ echo "==================================> SCRIPT ($DRONE_JOB_BUILDTYPE)"
 
 case "$DRONE_JOB_BUILDTYPE" in
     boost)
-        $BOOST_CI_SRC_FOLDER/ci/build.sh
+        "$BOOST_CI_SRC_FOLDER/ci/build.sh"
         ;;
     codecov)
-        $BOOST_CI_SRC_FOLDER/ci/travis/codecov.sh
+        "$BOOST_CI_SRC_FOLDER/ci/travis/codecov.sh"
         ;;
     valgrind)
-        $BOOST_CI_SRC_FOLDER/ci/travis/valgrind.sh
+        "$BOOST_CI_SRC_FOLDER/ci/travis/valgrind.sh"
         ;;
     coverity)
         echo "DRONE_BRANCH=$DRONE_BRANCH, DRONE_BUILD_EVENT=$DRONE_BUILD_EVENT, DRONE_REPO=$DRONE_REPO"
         if [[ "$DRONE_BRANCH" =~ ^(master|develop)$ ]] && [[ "$DRONE_BUILD_EVENT" =~ ^(push|cron)$ ]]; then
             if [ -z "$COVERITY_SCAN_NOTIFICATION_EMAIL" ] || [ -z "$COVERITY_SCAN_TOKEN" ]; then
                 echo "Coverity details not set up"
+                # shellcheck disable=SC2016
                 [ -n "$COVERITY_SCAN_NOTIFICATION_EMAIL" ] || echo 'Missing $COVERITY_SCAN_NOTIFICATION_EMAIL'
+                # shellcheck disable=SC2016
                 [ -n "$COVERITY_SCAN_TOKEN" ] || echo 'Missing $COVERITY_SCAN_TOKEN'
                 exit 1
             fi
             export BOOST_REPO="$DRONE_REPO"
 			export BOOST_BRANCH="$DRONE_BRANCH"
-            $BOOST_CI_SRC_FOLDER/ci/coverity.sh
+            "$BOOST_CI_SRC_FOLDER/ci/coverity.sh"
         fi
         ;;
     *)

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 #
 # Copyright 2020-2021 Peter Dimov
 # Copyright 2021 Andrey Semashev
-# Copyright 2021-2024 Alexander Grund
+# Copyright 2021-2026 Alexander Grund
 # Copyright 2022-2025 James E. King III
 #
 # Distributed under the Boost Software License, Version 1.0.
@@ -16,6 +16,9 @@
 ---
 name: Boost.CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:

.github/workflows/ci_test_no_jobs.yml

@@ -1,7 +1,7 @@
 #
 # Copyright 2020-2021 Peter Dimov
 # Copyright 2021 Andrey Semashev
-# Copyright 2021-2024 Alexander Grund
+# Copyright 2021-2026 Alexander Grund
 # Copyright 2022-2025 James E. King III
 #
 # Distributed under the Boost Software License, Version 1.0.
@@ -14,6 +14,9 @@
 ---
 name: Test.NoJobs.CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:

.github/workflows/ci_test_opposite.yml

@@ -1,7 +1,7 @@
 #
 # Copyright 2020-2021 Peter Dimov
 # Copyright 2021 Andrey Semashev
-# Copyright 2021-2024 Alexander Grund
+# Copyright 2021-2026 Alexander Grund
 # Copyright 2022-2025 James E. King III
 #
 # Distributed under the Boost Software License, Version 1.0.
@@ -14,6 +14,9 @@
 ---
 name: Test.Opposite.CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
@@ -28,7 +31,7 @@ on:
       - LICENSE
       - meta/**
       - README.md
-
+  
 jobs:
   call-neutered-boost-ci:
     name: Run Boost.CI

.github/workflows/code-coverage.yml

@@ -15,6 +15,9 @@
 
 name: Code Coverage
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:
@@ -61,7 +64,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check for code-coverage Branch
         run: |
@@ -80,30 +83,31 @@ jobs:
             fi
 
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.13'
 
       - name: Install Python packages
         run: pip install gcovr
 
       - name: Checkout ci-automation
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: cppalliance/ci-automation
           path: ci-automation
 
       - name: Build and run tests & collect coverage data
+        env:
+          B2_CXXSTD: ${{matrix.cxxstd}}
+          ORGANIZATION: ${{github.repository_owner}}
         run: |
             set -xe
             ls -al
-            export ORGANIZATION=${GITHUB_REPOSITORY_OWNER}
-            export REPONAME=$(basename ${GITHUB_REPOSITORY})
-            export B2_CXXSTD=${{matrix.cxxstd}}
+            export REPONAME=$(basename "${GITHUB_REPOSITORY}")
             ${{matrix.gcovr_script}}
 
       - name: Checkout GitHub pages branch
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: code-coverage
           path: gh_pages_dir

.github/workflows/old_ci.yml

@@ -1,7 +1,7 @@
 #
 # Copyright 2020-2021 Peter Dimov
 # Copyright 2021 Andrey Semashev
-# Copyright 2021-2024 Alexander Grund
+# Copyright 2021-2026 Alexander Grund
 #
 # Distributed under the Boost Software License, Version 1.0.
 # (See accompanying file LICENSE_1_0.txt or copy at http://boost.org/LICENSE_1_0.txt)
@@ -11,6 +11,9 @@
 ---
 name: Compatible.Old.CI
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
@@ -117,12 +120,12 @@ jobs:
     steps:
       - name: Setup environment
         run: |
-            [ ! -f "/etc/debian_version" ] || echo "DEBIAN_FRONTEND=noninteractive" >> $GITHUB_ENV
+            [ ! -f "/etc/debian_version" ] || echo "DEBIAN_FRONTEND=noninteractive" >> "$GITHUB_ENV"
             git config --global pack.threads 0
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: '!matrix.coverage'
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: 'matrix.coverage'
         with: { fetch-depth: 0 }