Skip to content

Commit 0e6d66b

Browse files
authored
Merge pull request #546 from com-pas/fix/harden-github-actions
fix: harden GitHub Actions workflows against supply chain and injection attacks
2 parents dce834f + 18c7dfb commit 0e6d66b

5 files changed

Lines changed: 65 additions & 61 deletions

File tree

.github/workflows/build-project.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,29 +18,31 @@ jobs:
1818
name: Build
1919
runs-on: ubuntu-latest
2020
timeout-minutes: 15
21+
permissions:
22+
contents: read
2123

2224
steps:
2325
- name: Checkout
24-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
2527

2628
- name: Cache Docker Register
27-
uses: actions/cache@v5
29+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
2830
with:
2931
path: /tmp/.buildx-cache
3032
key: ${{ runner.os }}-buildx-${{ hashFiles('**/Dockerfile') }}
3133

3234
- name: Set up Docker Buildx
3335
id: buildx
34-
uses: docker/setup-buildx-action@v3
36+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
3537
- name: Set up JDK 17
36-
uses: actions/setup-java@v5
38+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
3739
with:
3840
distribution: 'zulu'
3941
java-version: '17'
4042
cache: 'maven'
4143

4244
- name: Create custom Maven Settings.xml
43-
uses: whelk-io/maven-settings-xml-action@v21
45+
uses: whelk-io/maven-settings-xml-action@7c60eb95b2d5ec18f2e0e29f34c9ed69475e7a96 # v21
4446
with:
4547
output_file: custom_maven_settings.xml
4648
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'

.github/workflows/release-please.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,42 +17,42 @@ jobs:
1717
release_please:
1818
runs-on: ubuntu-latest
1919
steps:
20-
- uses: googleapis/release-please-action@v4
20+
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
2121
id: release
2222
with:
2323
target-branch: main
2424
- name: Checkout
2525
if: ${{ steps.release.outputs.release_created }}
26-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
2727

2828
- name: Cache Docker Register
2929
if: ${{ steps.release.outputs.release_created }}
30-
uses: actions/cache@v5
30+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
3131
with:
3232
path: /tmp/.buildx-cache
3333
key: ${{ runner.os }}-buildx-${{ hashFiles('**/Dockerfile') }}
3434

3535
- name: Set up JDK 17
3636
if: ${{ steps.release.outputs.release_created }}
37-
uses: actions/setup-java@v5
37+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
3838
with:
3939
distribution: 'zulu'
4040
java-version: '17'
4141
cache: 'maven'
4242
- name: Set up Docker Buildx
4343
if: ${{ steps.release.outputs.release_created }}
4444
id: buildx
45-
uses: docker/setup-buildx-action@v3
45+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
4646
- name: Login to Docker Hub
4747
if: ${{ steps.release.outputs.release_created }}
48-
uses: docker/login-action@v3
48+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
4949
with:
5050
username: ${{ secrets.DOCKER_HUB_USERNAME }}
5151
password: ${{ secrets.DOCKER_HUB_TOKEN }}
5252

5353
- name: Create custom Maven Settings.xml
5454
if: ${{ steps.release.outputs.release_created }}
55-
uses: whelk-io/maven-settings-xml-action@v22
55+
uses: whelk-io/maven-settings-xml-action@9dc09b23833fa9aa7f27b63db287951856f3433d # v22
5656
with:
5757
output_file: custom_maven_settings.xml
5858
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'

.github/workflows/reuse.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,10 @@ on: push
99
jobs:
1010
test:
1111
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1214
steps:
1315
- name: Checkout
14-
uses: actions/checkout@v6
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
1517
- name: REUSE Compliance Check
16-
uses: fsfe/reuse-action@v6
18+
uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6

.github/workflows/sonarcloud-analysis.yml

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -14,54 +14,54 @@ jobs:
1414
runs-on: ubuntu-latest
1515
if: github.event.workflow_run.conclusion == 'success'
1616
timeout-minutes: 15
17+
permissions:
18+
contents: read
19+
actions: read
20+
pull-requests: read
1721
steps:
1822
- name: echo event
1923
run: cat $GITHUB_EVENT_PATH
2024
- name: Download PR number artifact
21-
if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
22-
uses: dawidd6/action-download-artifact@v14
25+
if: github.event.workflow_run.event == 'pull_request'
26+
uses: dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
2327
with:
2428
workflow: SonarCloud Build
2529
run_id: ${{ github.event.workflow_run.id }}
2630
name: PR_NUMBER
2731
- name: Read PR_NUMBER.txt
28-
if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
32+
if: github.event.workflow_run.event == 'pull_request'
2933
id: pr_number
30-
uses: juliangruber/read-file-action@v1
34+
uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1
3135
with:
3236
path: ./PR_NUMBER.txt
3337
- name: Request GitHub API for PR data
34-
if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
35-
uses: octokit/request-action@v2.x
38+
if: github.event.workflow_run.event == 'pull_request'
39+
uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
3640
id: get_pr_data
3741
with:
3842
route: GET /repos/{full_name}/pulls/{number}
3943
number: ${{ steps.pr_number.outputs.content }}
4044
full_name: ${{ github.event.repository.full_name }}
4145
env:
4246
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
43-
- uses: actions/checkout@v6
47+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4448
with:
45-
repository: ${{ github.event.workflow_run.head_repository.full_name }}
46-
ref: ${{ github.event.workflow_run.head_branch }}
4749
fetch-depth: 0
48-
- name: Checkout base branch
49-
if: github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target')
50-
run: |
51-
git remote add upstream ${{ github.event.repository.clone_url }}
52-
git fetch upstream
53-
git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
54-
git checkout ${{ github.event.workflow_run.head_branch }}
55-
git clean -ffdx && git reset --hard HEAD
50+
- name: Download build artifacts
51+
uses: dawidd6/action-download-artifact@5c98f0b039f36ef966fdb7dfa9779262785ecb05 # v14
52+
with:
53+
workflow: SonarCloud Build
54+
run_id: ${{ github.event.workflow_run.id }}
55+
name: build-artifacts
5656
- name: Cache SonarCloud packages
57-
uses: actions/cache@v5
57+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
5858
with:
5959
path: ~/.sonar/cache
6060
key: ${{ runner.os }}-sonar
6161
restore-keys: ${{ runner.os }}-sonar
6262

6363
- name: Set up JDK 17
64-
uses: actions/setup-java@v5
64+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
6565
with:
6666
distribution: 'zulu'
6767
java-version: '17'
@@ -70,35 +70,35 @@ jobs:
7070
- name: Set Common Sonar Variables
7171
id: sonar_env
7272
run: |
73-
echo "##[set-output name=sonar_opts;]$(echo -Dsonar.host.url=https://sonarcloud.io \
73+
echo "sonar_opts=-Dsonar.host.url=https://sonarcloud.io \
7474
-Dsonar.projectKey=com-pas_compas-cim-mapping \
75-
-Dsonar.organization=com-pas )"
75+
-Dsonar.organization=com-pas" >> $GITHUB_OUTPUT
7676
- name: Create custom Maven Settings.xml
77-
uses: whelk-io/maven-settings-xml-action@v21
77+
uses: whelk-io/maven-settings-xml-action@7c60eb95b2d5ec18f2e0e29f34c9ed69475e7a96 # v21
7878
with:
7979
output_file: custom_maven_settings.xml
8080
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
8181
- name: Build and analyze (Pull Request)
82-
if: ${{ github.event.workflow_run.event == 'pull_request' || (github.event.workflow_run.actor == 'dependabot[bot]' && github.event.workflow_run.event == 'pull_request_target') }}
82+
if: ${{ github.event.workflow_run.event == 'pull_request' }}
8383
env:
8484
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
8585
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
8686
run: |
87-
./mvnw -B -s custom_maven_settings.xml -Psonar \
87+
mvn -B -s custom_maven_settings.xml -Psonar \
8888
${{ steps.sonar_env.outputs.sonar_opts }} \
8989
-Dsonar.pullrequest.branch=${{ fromJson(steps.get_pr_data.outputs.data).head.ref }} \
9090
-Dsonar.pullrequest.key=${{ fromJson(steps.get_pr_data.outputs.data).number }} \
9191
-Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} \
9292
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
93-
clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
93+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
9494
- name: Build and analyze (Push)
9595
if: ${{ github.event.workflow_run.event == 'push' }}
9696
env:
9797
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9898
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
9999
run: |
100-
./mvnw -B -s custom_maven_settings.xml -Psonar \
100+
mvn -B -s custom_maven_settings.xml -Psonar \
101101
${{ steps.sonar_env.outputs.sonar_opts }} \
102102
-Dsonar.scm.revision=${{ github.event.workflow_run.head_sha }} \
103103
-Dsonar.branch.name=${{ github.event.workflow_run.head_branch }} \
104-
clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
104+
org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

.github/workflows/sonarcloud-build.yml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -12,61 +12,61 @@ on:
1212
branches:
1313
- 'main'
1414
- 'develop'
15-
pull_request_target:
16-
branches:
17-
- 'main'
18-
- 'develop'
1915

2016
jobs:
2117
precheck-build:
2218
name: Pre Check Build
2319
runs-on: ubuntu-latest
2420
timeout-minutes: 30
21+
permissions:
22+
contents: read
2523

26-
if: ${{ (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
2724
steps:
2825
- name: Checkout
29-
uses: actions/checkout@v6
26+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
3027
with:
3128
fetch-depth: 0
3229

3330
- name: Cache SonarCloud packages
34-
uses: actions/cache@v5
31+
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5
3532
with:
3633
path: ~/.sonar/cache
3734
key: ${{ runner.os }}-sonar
3835
restore-keys: ${{ runner.os }}-sonar
3936

4037
- name: Set up JDK 17
41-
uses: actions/setup-java@v5
38+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
4239
with:
4340
distribution: 'zulu'
4441
java-version: '17'
4542
cache: 'maven'
4643

4744
- name: Create custom Maven Settings.xml
48-
uses: whelk-io/maven-settings-xml-action@v21
45+
uses: whelk-io/maven-settings-xml-action@7c60eb95b2d5ec18f2e0e29f34c9ed69475e7a96 # v21
4946
with:
5047
output_file: custom_maven_settings.xml
5148
servers: '[{ "id": "github-packages-compas", "username": "OWNER", "password": "${{ secrets.GITHUB_TOKEN }}" }]'
52-
- name: Build and analyze (Pull Request)
53-
if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
54-
env:
55-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
56-
run: |
57-
./mvnw -B -s custom_maven_settings.xml clean verify
58-
- name: Build and analyze (Push)
59-
if: ${{ github.event_name == 'push' }}
49+
- name: Build
6050
env:
6151
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6252
run: |
6353
./mvnw -B -s custom_maven_settings.xml clean verify
54+
- name: Upload build artifacts
55+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
56+
with:
57+
name: build-artifacts
58+
path: |
59+
service/src/
60+
app/src/
61+
service/target/
62+
app/target/
63+
retention-days: 1
6464
- name: Save PR number to file
65-
if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
65+
if: github.event_name == 'pull_request'
6666
run: echo ${{ github.event.pull_request.number }} > PR_NUMBER.txt
6767
- name: Archive PR number
68-
if: ${{ github.event_name == 'pull_request' || (github.actor == 'dependabot[bot]' && github.event_name == 'pull_request_target') }}
69-
uses: actions/upload-artifact@v6
68+
if: github.event_name == 'pull_request'
69+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
7070
with:
7171
name: PR_NUMBER
7272
path: PR_NUMBER.txt

0 commit comments

Comments
 (0)