Skip to content

Commit 0cdfae9

Browse files
committed
harden GitHub Actions against supply chain attacks
1 parent a790da1 commit 0cdfae9

12 files changed

Lines changed: 221 additions & 85 deletions

.github/dependabot.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Copyright (c) 2026 Contributors to the Eclipse Foundation
2+
#
3+
# See the NOTICE file(s) distributed with this work for additional
4+
# information regarding copyright ownership.
5+
#
6+
# This program and the accompanying materials are made available under the
7+
# terms of the Eclipse Public License 2.0 which is available at
8+
# http://www.eclipse.org/legal/epl-2.0
9+
#
10+
# SPDX-License-Identifier: EPL-2.0
11+
version: 2
12+
updates:
13+
- package-ecosystem: github-actions
14+
directory: "/"
15+
schedule:
16+
interval: weekly
17+
cooldown:
18+
default-days: 7
19+
open-pull-requests-limit: 10
20+
labels:
21+
- dependencies
22+
commit-message:
23+
prefix: ci
24+
include: scope
25+
groups:
26+
github-actions:
27+
patterns:
28+
- "*"

.github/workflows/docker-nightly.yml

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,21 @@ jobs:
2020
if: github.repository == 'eclipse-ditto/ditto'
2121
runs-on: ubuntu-latest
2222
steps:
23+
-
24+
name: Harden Runner
25+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
26+
with:
27+
egress-policy: audit
2328
-
2429
name: Checkout
25-
uses: actions/checkout@v6
30+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2631
-
2732
name: Set up QEMU
28-
uses: docker/setup-qemu-action@v3
33+
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
2934
-
3035
name: Set up Docker Buildx
3136
id: buildx
32-
uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images
37+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images
3338
-
3439
name: Inspect buildx builder
3540
run: |
@@ -40,7 +45,7 @@ jobs:
4045
echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
4146
-
4247
name: Login to Docker Hub
43-
uses: docker/login-action@v2
48+
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
4449
with:
4550
username: eclipsedittobot
4651
password: ${{ secrets.DOCKER_HUB_TOKEN }}
@@ -55,7 +60,7 @@ jobs:
5560
echo $IMAGE_TAG
5661
-
5762
name: Build and push ditto-policies
58-
uses: docker/build-push-action@v4
63+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
5964
with:
6065
context: .
6166
file: dockerfile-release
@@ -70,7 +75,7 @@ jobs:
7075
eclipse/ditto-policies:${{ env.IMAGE_TAG }}
7176
-
7277
name: Build and push ditto-things
73-
uses: docker/build-push-action@v4
78+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
7479
with:
7580
context: .
7681
file: dockerfile-release
@@ -85,7 +90,7 @@ jobs:
8590
eclipse/ditto-things:${{ env.IMAGE_TAG }}
8691
-
8792
name: Build and push ditto-gateway
88-
uses: docker/build-push-action@v4
93+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
8994
with:
9095
context: .
9196
file: dockerfile-release
@@ -100,7 +105,7 @@ jobs:
100105
eclipse/ditto-gateway:${{ env.IMAGE_TAG }}
101106
-
102107
name: Build and push ditto-thingsearch
103-
uses: docker/build-push-action@v4
108+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
104109
with:
105110
context: .
106111
file: dockerfile-release
@@ -115,7 +120,7 @@ jobs:
115120
eclipse/ditto-things-search:${{ env.IMAGE_TAG }}
116121
-
117122
name: Build and push ditto-connectivity
118-
uses: docker/build-push-action@v4
123+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
119124
with:
120125
context: .
121126
file: dockerfile-release
@@ -131,7 +136,7 @@ jobs:
131136
eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}
132137
-
133138
name: Use Node.js 18.x
134-
uses: actions/setup-node@v6
139+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
135140
with:
136141
node-version: 20
137142
-
@@ -144,7 +149,7 @@ jobs:
144149
working-directory: ./ui
145150
-
146151
name: Build and push ditto-ui image
147-
uses: docker/build-push-action@v4
152+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
148153
with:
149154
context: ./ui
150155
file: ui/Dockerfile
@@ -155,7 +160,7 @@ jobs:
155160
eclipse/ditto-ui:${{ env.IMAGE_TAG }}
156161
-
157162
name: Run Trivy vulnerability scanner for ditto-policies
158-
uses: aquasecurity/trivy-action@v0.35.0
163+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
159164
with:
160165
image-ref: 'docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}'
161166
format: 'table'
@@ -165,7 +170,7 @@ jobs:
165170
severity: 'CRITICAL'
166171
-
167172
name: Run Trivy vulnerability scanner for ditto-things
168-
uses: aquasecurity/trivy-action@v0.35.0
173+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
169174
with:
170175
image-ref: 'docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}'
171176
format: 'table'
@@ -175,7 +180,7 @@ jobs:
175180
severity: 'CRITICAL'
176181
-
177182
name: Run Trivy vulnerability scanner for ditto-gateway
178-
uses: aquasecurity/trivy-action@v0.35.0
183+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
179184
with:
180185
image-ref: 'docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}'
181186
format: 'table'
@@ -185,7 +190,7 @@ jobs:
185190
severity: 'CRITICAL'
186191
-
187192
name: Run Trivy vulnerability scanner for ditto-things-search
188-
uses: aquasecurity/trivy-action@v0.35.0
193+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
189194
with:
190195
image-ref: 'docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}'
191196
format: 'table'
@@ -195,7 +200,7 @@ jobs:
195200
severity: 'CRITICAL'
196201
-
197202
name: Run Trivy vulnerability scanner for ditto-connectivity
198-
uses: aquasecurity/trivy-action@v0.35.0
203+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
199204
with:
200205
image-ref: 'docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}'
201206
format: 'table'
@@ -205,7 +210,7 @@ jobs:
205210
severity: 'CRITICAL'
206211
-
207212
name: Run Trivy vulnerability scanner for ditto-ui
208-
uses: aquasecurity/trivy-action@v0.35.0
213+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
209214
with:
210215
image-ref: 'docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}'
211216
format: 'table'

.github/workflows/gh-pages.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,14 @@ jobs:
2929
concurrency:
3030
group: ${{ github.workflow }}-${{ github.ref }}
3131
steps:
32-
- uses: actions/checkout@v6
32+
- name: Harden Runner
33+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
34+
with:
35+
egress-policy: audit
36+
37+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3338
- name: Use Node.js 18.x
34-
uses: actions/setup-node@v6
39+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
3540
with:
3641
node-version: 20
3742
- name: Install npm dependencies
@@ -41,7 +46,7 @@ jobs:
4146
run: npm run build
4247
working-directory: ./ui
4348
- name: Deploy
44-
uses: peaceiris/actions-gh-pages@v4
49+
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
4550
with:
4651
github_token: ${{ secrets.GITHUB_TOKEN }}
4752
publish_dir: ./ui

.github/workflows/helm-chart-release.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,18 @@ jobs:
2424
build:
2525
runs-on: ubuntu-latest
2626
steps:
27+
- name: Harden Runner
28+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
29+
with:
30+
egress-policy: audit
31+
2732
- name: Checkout
28-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2934
with:
3035
fetch-depth: 0
3136

3237
- name: Set up Helm
33-
uses: azure/setup-helm@v4.2.0
38+
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
3439
with:
3540
version: ${{ env.VERSION_HELM }}
3641

.github/workflows/helm-chart.yml

Lines changed: 26 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -27,20 +27,25 @@ jobs:
2727
lint-chart:
2828
runs-on: ubuntu-latest
2929
steps:
30+
- name: Harden Runner
31+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
32+
with:
33+
egress-policy: audit
34+
3035
- name: Checkout
31-
uses: actions/checkout@v6
36+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3237
with:
3338
fetch-depth: 0
3439
- name: Set up Helm
35-
uses: azure/setup-helm@v4.2.0
40+
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
3641
with:
3742
version: ${{ env.VERSION_HELM }}
38-
- uses: actions/setup-python@v5
43+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
3944
with:
4045
python-version: ${{ env.VERSION_PYTHON }}
4146
check-latest: true
4247
- name: Set up chart-testing
43-
uses: helm/chart-testing-action@v2.6.1
48+
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
4449
with:
4550
version: ${{ env.VERSION_CHART_TESTING }}
4651
- name: Run chart-testing (list-changed)
@@ -67,12 +72,17 @@ jobs:
6772
- v1.34.3
6873
- v1.35.1
6974
steps:
75+
- name: Harden Runner
76+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
77+
with:
78+
egress-policy: audit
79+
7080
- name: Checkout
71-
uses: actions/checkout@v6
81+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7282
- name: Fetch history for chart testing
7383
run: git fetch --prune --unshallow
7484
- name: Set up Helm
75-
uses: azure/setup-helm@v4.2.0
85+
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
7686
with:
7787
version: ${{ env.VERSION_HELM }}
7888
- name: Run kubeval
@@ -96,20 +106,25 @@ jobs:
96106
- v1.34.3
97107
- v1.35.1
98108
steps:
109+
- name: Harden Runner
110+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
111+
with:
112+
egress-policy: audit
113+
99114
- name: Checkout
100-
uses: actions/checkout@v6
115+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
101116
- name: Fetch history for chart testing
102117
run: git fetch --prune --unshallow
103118
- name: Set up Helm
104-
uses: azure/setup-helm@v4.2.0
119+
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
105120
with:
106121
version: ${{ env.VERSION_HELM }}
107-
- uses: actions/setup-python@v5
122+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
108123
with:
109124
python-version: ${{ env.VERSION_PYTHON }}
110125
check-latest: true
111126
- name: Set up chart-testing
112-
uses: helm/chart-testing-action@v2.6.1
127+
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
113128
with:
114129
version: ${{ env.VERSION_CHART_TESTING }}
115130
- name: Run chart-testing (list-changed)
@@ -121,7 +136,7 @@ jobs:
121136
fi
122137
- name: Create kind ${{ matrix.k8s }} cluster
123138
if: steps.list-changed.outputs.changed == 'true'
124-
uses: helm/kind-action@v1.4.0
139+
uses: helm/kind-action@9e8295d178de23cbfbd8fa16cf844eec1d773a07 # v1.4.0
125140
with:
126141
node_image: kindest/node:${{ matrix.k8s }}
127142
- name: Run chart-testing (install)

.github/workflows/license-check.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,13 @@ jobs:
1818
check-license-header-year:
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@v6
22-
- uses: jitterbit/get-changed-files@v1
21+
- name: Harden Runner
22+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
23+
with:
24+
egress-policy: audit
25+
26+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
27+
- uses: jitterbit/get-changed-files@b17fbb00bdc0c0f63fcf166580804b4d2cdc2a42 # v1
2328
id: the-files
2429
continue-on-error: true
2530
- name: Printing added files
@@ -43,4 +48,4 @@ jobs:
4348
fi
4449
fi
4550
done
46-
exit $missing_counter
51+
exit $missing_counter

.github/workflows/maven.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,15 @@ jobs:
3333
runs-on: ubuntu-latest
3434

3535
steps:
36-
- uses: actions/checkout@v6
36+
- name: Harden Runner
37+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
38+
with:
39+
egress-policy: audit
40+
41+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3742

3843
- name: Set up JDK 25
39-
uses: actions/setup-java@v5
44+
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
4045
with:
4146
distribution: 'temurin'
4247
java-version: 25

0 commit comments

Comments
 (0)