Skip to content

Commit 40f6cd1

Browse files
authored
Merge pull request #2421 from beyonnex-io/harden-gha-supply-chain
harden GitHub Actions against supply chain attacks
2 parents 9e46eef + 3bea98e commit 40f6cd1

13 files changed

Lines changed: 340 additions & 96 deletions

.github/dependabot.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# Copyright (c) 2026 Contributors to the Eclipse Foundation
2+
#
3+
# See the NOTICE file(s) distributed with this work for additional
4+
# information regarding copyright ownership.
5+
#
6+
# This program and the accompanying materials are made available under the
7+
# terms of the Eclipse Public License 2.0 which is available at
8+
# http://www.eclipse.org/legal/epl-2.0
9+
#
10+
# SPDX-License-Identifier: EPL-2.0
11+
version: 2
12+
updates:
13+
- package-ecosystem: github-actions
14+
directory: "/"
15+
schedule:
16+
interval: weekly
17+
cooldown:
18+
default-days: 7
19+
open-pull-requests-limit: 10
20+
labels:
21+
- dependencies
22+
commit-message:
23+
prefix: ci
24+
include: scope
25+
groups:
26+
github-actions:
27+
patterns:
28+
- "*"

.github/workflows/docker-nightly.yml

Lines changed: 27 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -15,21 +15,31 @@ on:
1515
- cron: '0 1 * * *' # run at 1 AM UTC
1616
workflow_dispatch:
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
build:
2023
if: github.repository == 'eclipse-ditto/ditto'
2124
runs-on: ubuntu-latest
2225
steps:
26+
-
27+
name: Harden Runner
28+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
29+
with:
30+
egress-policy: audit
2331
-
2432
name: Checkout
25-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
34+
with:
35+
persist-credentials: false
2636
-
2737
name: Set up QEMU
28-
uses: docker/setup-qemu-action@v3
38+
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
2939
-
3040
name: Set up Docker Buildx
3141
id: buildx
32-
uses: docker/setup-buildx-action@v3 # setup buildx in order to do build and push multi-architecture images
42+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 # setup buildx in order to do build and push multi-architecture images
3343
-
3444
name: Inspect buildx builder
3545
run: |
@@ -40,7 +50,7 @@ jobs:
4050
echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
4151
-
4252
name: Login to Docker Hub
43-
uses: docker/login-action@v2
53+
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
4454
with:
4555
username: eclipsedittobot
4656
password: ${{ secrets.DOCKER_HUB_TOKEN }}
@@ -55,7 +65,7 @@ jobs:
5565
echo $IMAGE_TAG
5666
-
5767
name: Build and push ditto-policies
58-
uses: docker/build-push-action@v4
68+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
5969
with:
6070
context: .
6171
file: dockerfile-release
@@ -70,7 +80,7 @@ jobs:
7080
eclipse/ditto-policies:${{ env.IMAGE_TAG }}
7181
-
7282
name: Build and push ditto-things
73-
uses: docker/build-push-action@v4
83+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
7484
with:
7585
context: .
7686
file: dockerfile-release
@@ -85,7 +95,7 @@ jobs:
8595
eclipse/ditto-things:${{ env.IMAGE_TAG }}
8696
-
8797
name: Build and push ditto-gateway
88-
uses: docker/build-push-action@v4
98+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
8999
with:
90100
context: .
91101
file: dockerfile-release
@@ -100,7 +110,7 @@ jobs:
100110
eclipse/ditto-gateway:${{ env.IMAGE_TAG }}
101111
-
102112
name: Build and push ditto-thingsearch
103-
uses: docker/build-push-action@v4
113+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
104114
with:
105115
context: .
106116
file: dockerfile-release
@@ -115,7 +125,7 @@ jobs:
115125
eclipse/ditto-things-search:${{ env.IMAGE_TAG }}
116126
-
117127
name: Build and push ditto-connectivity
118-
uses: docker/build-push-action@v4
128+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
119129
with:
120130
context: .
121131
file: dockerfile-release
@@ -131,7 +141,7 @@ jobs:
131141
eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}
132142
-
133143
name: Use Node.js 18.x
134-
uses: actions/setup-node@v6
144+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
135145
with:
136146
node-version: 20
137147
-
@@ -144,7 +154,7 @@ jobs:
144154
working-directory: ./ui
145155
-
146156
name: Build and push ditto-ui image
147-
uses: docker/build-push-action@v4
157+
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1
148158
with:
149159
context: ./ui
150160
file: ui/Dockerfile
@@ -155,7 +165,7 @@ jobs:
155165
eclipse/ditto-ui:${{ env.IMAGE_TAG }}
156166
-
157167
name: Run Trivy vulnerability scanner for ditto-policies
158-
uses: aquasecurity/trivy-action@v0.35.0
168+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
159169
with:
160170
image-ref: 'docker.io/eclipse/ditto-policies:${{ env.IMAGE_TAG }}'
161171
format: 'table'
@@ -165,7 +175,7 @@ jobs:
165175
severity: 'CRITICAL'
166176
-
167177
name: Run Trivy vulnerability scanner for ditto-things
168-
uses: aquasecurity/trivy-action@v0.35.0
178+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
169179
with:
170180
image-ref: 'docker.io/eclipse/ditto-things:${{ env.IMAGE_TAG }}'
171181
format: 'table'
@@ -175,7 +185,7 @@ jobs:
175185
severity: 'CRITICAL'
176186
-
177187
name: Run Trivy vulnerability scanner for ditto-gateway
178-
uses: aquasecurity/trivy-action@v0.35.0
188+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
179189
with:
180190
image-ref: 'docker.io/eclipse/ditto-gateway:${{ env.IMAGE_TAG }}'
181191
format: 'table'
@@ -185,7 +195,7 @@ jobs:
185195
severity: 'CRITICAL'
186196
-
187197
name: Run Trivy vulnerability scanner for ditto-things-search
188-
uses: aquasecurity/trivy-action@v0.35.0
198+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
189199
with:
190200
image-ref: 'docker.io/eclipse/ditto-things-search:${{ env.IMAGE_TAG }}'
191201
format: 'table'
@@ -195,7 +205,7 @@ jobs:
195205
severity: 'CRITICAL'
196206
-
197207
name: Run Trivy vulnerability scanner for ditto-connectivity
198-
uses: aquasecurity/trivy-action@v0.35.0
208+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
199209
with:
200210
image-ref: 'docker.io/eclipse/ditto-connectivity:${{ env.IMAGE_TAG }}'
201211
format: 'table'
@@ -205,7 +215,7 @@ jobs:
205215
severity: 'CRITICAL'
206216
-
207217
name: Run Trivy vulnerability scanner for ditto-ui
208-
uses: aquasecurity/trivy-action@v0.35.0
218+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
209219
with:
210220
image-ref: 'docker.io/eclipse/ditto-ui:${{ env.IMAGE_TAG }}'
211221
format: 'table'

.github/workflows/gh-pages.yml

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ on:
2121
# Enable manually triggering
2222
workflow_dispatch:
2323

24+
permissions:
25+
contents: read
26+
2427
jobs:
2528
deploy:
2629
runs-on: ubuntu-20.04
@@ -29,9 +32,16 @@ jobs:
2932
concurrency:
3033
group: ${{ github.workflow }}-${{ github.ref }}
3134
steps:
32-
- uses: actions/checkout@v6
35+
- name: Harden Runner
36+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
37+
with:
38+
egress-policy: audit
39+
40+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
41+
with:
42+
persist-credentials: false
3343
- name: Use Node.js 18.x
34-
uses: actions/setup-node@v6
44+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
3545
with:
3646
node-version: 20
3747
- name: Install npm dependencies
@@ -41,7 +51,7 @@ jobs:
4151
run: npm run build
4252
working-directory: ./ui
4353
- name: Deploy
44-
uses: peaceiris/actions-gh-pages@v4
54+
uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
4555
with:
4656
github_token: ${{ secrets.GITHUB_TOKEN }}
4757
publish_dir: ./ui

.github/workflows/helm-chart-release.yml

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,17 +20,26 @@ on:
2020
required: true
2121
type: string
2222

23+
permissions:
24+
contents: read
25+
2326
jobs:
2427
build:
2528
runs-on: ubuntu-latest
2629
steps:
30+
- name: Harden Runner
31+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
32+
with:
33+
egress-policy: audit
34+
2735
- name: Checkout
28-
uses: actions/checkout@v6
36+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2937
with:
3038
fetch-depth: 0
39+
persist-credentials: false
3140

3241
- name: Set up Helm
33-
uses: azure/setup-helm@v4.2.0
42+
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
3443
with:
3544
version: ${{ env.VERSION_HELM }}
3645

@@ -40,11 +49,15 @@ jobs:
4049

4150
- name: Helm | Package
4251
shell: bash
43-
run: helm package deployment/helm/ditto --dependency-update --version ${{ inputs.chartVersion }}
52+
env:
53+
CHART_VERSION: ${{ inputs.chartVersion }}
54+
run: helm package deployment/helm/ditto --dependency-update --version "$CHART_VERSION"
4455

4556
- name: Helm | Push
4657
shell: bash
47-
run: helm push ditto-${{ inputs.chartVersion }}.tgz oci://registry-1.docker.io/eclipse
58+
env:
59+
CHART_VERSION: ${{ inputs.chartVersion }}
60+
run: helm push "ditto-${CHART_VERSION}.tgz" oci://registry-1.docker.io/eclipse
4861

4962
- name: Helm | Logout
5063
shell: bash
@@ -53,4 +66,6 @@ jobs:
5366
- name: Helm | Output
5467
id: output
5568
shell: bash
56-
run: echo "image=registry-1.docker.io/eclipse/ditto:${{ inputs.chartVersion }}" >> $GITHUB_OUTPUT
69+
env:
70+
CHART_VERSION: ${{ inputs.chartVersion }}
71+
run: echo "image=registry-1.docker.io/eclipse/ditto:${CHART_VERSION}" >> $GITHUB_OUTPUT

0 commit comments

Comments
 (0)