Skip to content

Commit 2e8699b

Browse files
authored
Merge pull request #1766 from l3montree-dev/improvment/harden-github-action
Harden github action
2 parents e93ba10 + ee2f5bb commit 2e8699b

8 files changed

Lines changed: 180 additions & 62 deletions

File tree

.github/workflows/devguard-scanner.yaml

Lines changed: 41 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -6,24 +6,20 @@ on:
66
workflow_dispatch:
77
push:
88

9-
permissions:
10-
contents: write
11-
actions: read
12-
security-events: write
13-
packages: write
14-
15-
169
jobs:
1710
golangci:
1811
name: lint
1912
runs-on: ubuntu-latest
13+
permissions:
14+
contents: read
2015
steps:
2116
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
2217
with:
2318
submodules: recursive
19+
persist-credentials: false
2420
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
2521
with:
26-
go-version: '1.25.5'
22+
go-version: '1.25.6'
2723
cache: false
2824
- name: golangci-lint
2925
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 - https://github.com/golangci/golangci-lint-action/releases/tag/v8.0.0
@@ -34,16 +30,18 @@ jobs:
3430
tests:
3531
name: tests
3632
runs-on: ubuntu-latest
37-
33+
permissions:
34+
contents: read
3835
steps:
3936
- name: Check out code
4037
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
4138
with:
4239
submodules: recursive
40+
persist-credentials: false
4341
- name: Set up Go
4442
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
4543
with:
46-
go-version: '1.25.5'
44+
go-version: '1.25.6'
4745

4846
- name: Run unittests
4947
run: go test $(go list ./... | grep -v "/mocks") -coverprofile=coverage.out && go tool cover -func=coverage.out
@@ -56,6 +54,11 @@ jobs:
5654

5755
devguard:
5856
uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
57+
permissions:
58+
contents: write
59+
actions: read
60+
security-events: write
61+
packages: write
5962
with:
6063
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
6164
api-url: https://api.main.devguard.org
@@ -70,6 +73,9 @@ jobs:
7073

7174
build-scanner-image:
7275
uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
76+
permissions:
77+
contents: read
78+
packages: write
7379
with:
7480
artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
7581
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
@@ -83,6 +89,9 @@ jobs:
8389
# Image scanning job to detect vulnerabilities in the built Docker image
8490
scanner-container-scanning:
8591
uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
92+
permissions:
93+
contents: read
94+
security-events: write
8695
needs:
8796
- build-scanner-image
8897
with:
@@ -97,11 +106,14 @@ jobs:
97106
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
98107

99108
deploy-scanner:
100-
needs:
109+
needs:
101110
- build-scanner-image
102111
- scanner-container-scanning
103112
- tests
104113
uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
114+
permissions:
115+
contents: read
116+
packages: write
105117
with:
106118
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
107119
api-url: https://api.main.devguard.org
@@ -110,11 +122,14 @@ jobs:
110122
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
111123

112124
sign-scanner:
113-
needs:
125+
needs:
114126
- build-scanner-image
115127
- scanner-container-scanning
116128
- tests
117129
uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
130+
permissions:
131+
contents: read
132+
packages: write
118133
with:
119134
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
120135
api-url: https://api.main.devguard.org
@@ -124,11 +139,14 @@ jobs:
124139
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
125140

126141
attest-scanner:
127-
needs:
142+
needs:
128143
- build-scanner-image
129144
- scanner-container-scanning
130145
- tests
131146
uses: l3montree-dev/devguard-action/.github/workflows/attest.yml@main
147+
permissions:
148+
contents: read
149+
packages: write
132150
with:
133151
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
134152
api-url: https://api.main.devguard.org
@@ -140,6 +158,8 @@ jobs:
140158
release:
141159
name: Build and Release Binaries
142160
runs-on: ubuntu-latest
161+
permissions:
162+
contents: write
143163
# needs: [golangci, tests, sign-scanner, devguard]
144164
if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/test-release'
145165
outputs:
@@ -149,16 +169,18 @@ jobs:
149169
uses: actions/checkout@v4
150170
with:
151171
fetch-depth: 0
172+
persist-credentials: false
152173

153174
- name: Set up Go
154175
uses: actions/setup-go@v5
155176
with:
156-
go-version: '1.25'
177+
go-version: '1.25.6'
178+
cache: false
157179

158180
- name: Get tag
159181
id: tag
160182
run: |
161-
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
183+
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
162184
echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
163185
echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
164186
else
@@ -170,7 +192,7 @@ jobs:
170192
mkdir -p dist
171193
172194
# Build flags for security-hardened binaries
173-
BUILD_FLAGS="-s -w -buildid= -X main.version=${{ steps.tag.outputs.tag }} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
195+
BUILD_FLAGS="-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
174196
175197
# Build for Linux amd64
176198
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner
@@ -189,6 +211,8 @@ jobs:
189211
190212
# Build for macOS arm64
191213
GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
214+
env:
215+
STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}
192216

193217
- name: Create archives
194218
run: |
@@ -231,7 +255,7 @@ jobs:
231255
"
232256
233257
- name: Create GitHub Release
234-
uses: softprops/action-gh-release@v1
258+
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
235259
with:
236260
tag_name: ${{ steps.tag.outputs.tag }}
237261
name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"

.github/workflows/documentation_policy_check.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
name: Documentation Policy Check
22
on:
33
pull_request:
4+
permissions:
5+
contents: read
46
jobs:
57
# naming_convention_check:
68
# uses: l3montree-dev/devguard-action/.github/workflows/naming-convention.yml@add-documentation-policy

.github/workflows/postgresql.yaml

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,13 +7,15 @@ on:
77

88
permissions:
99
contents: read
10-
packages: write
1110

1211
# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
1312
jobs:
1413
# Docker image build job
1514
build-image:
1615
uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
16+
permissions:
17+
contents: read
18+
packages: write
1719
with:
1820
artifact-name: "postgresql"
1921
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
@@ -38,10 +40,13 @@ jobs:
3840
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
3941

4042
deploy:
41-
needs:
43+
needs:
4244
- build-image
4345
- container-scanning
4446
uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
47+
permissions:
48+
contents: read
49+
packages: write
4550
with:
4651
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
4752
api-url: https://api.main.devguard.org
@@ -51,10 +56,13 @@ jobs:
5156
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
5257

5358
sign:
54-
needs:
59+
needs:
5560
- build-image
5661
- container-scanning
5762
uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
63+
permissions:
64+
contents: read
65+
packages: write
5866
with:
5967
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
6068
api-url: https://api.main.devguard.org

.github/workflows/vulndb.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -54,10 +54,12 @@ jobs:
5454
PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "CREATE EXTENSION IF NOT EXISTS semver;"
5555
- name: Checkout code
5656
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
57+
with:
58+
persist-credentials: false
5759
- name: Install Golang
5860
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
5961
with:
60-
go-version: 1.25
62+
go-version: "1.25"
6163
- name: Import the last database version (this takes some time)
6264
if: ${{ github.event.inputs.run_import == 'true' || github.event.inputs.run_import == null }}
6365
run: |
@@ -97,7 +99,7 @@ jobs:
9799
if: ${{ github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
98100
run: zip -r vulndb.zip diffs-tmp
99101
- name: Install Cosign
100-
uses: sigstore/cosign-installer@v4.0.0
102+
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
101103
with:
102104
cosign-release: "v2.6.1"
103105

@@ -109,13 +111,13 @@ jobs:
109111
COSIGN_PASSWORD: ""
110112
run: cosign import-key-pair --key cosign.key && cosign sign-blob --yes --key import-cosign.key vulndb.zip > vulndb.zip.sig
111113
- name: Login to GitHub Container Registry
112-
uses: docker/login-action@v3
114+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
113115
with:
114116
registry: ghcr.io
115117
username: ${{ github.actor }}
116118
password: ${{ secrets.GITHUB_TOKEN }}
117119
- name: Setup oras cli
118-
uses: oras-project/setup-oras@v1
120+
uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
119121

120122
- name: set the date
121123
run: echo "date="${{env.DATE}} >> "$GITHUB_ENV"

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
# You should have received a copy of the GNU Affero General Public License
1414
# along with this program. If not, see <http://www.gnu.org/licenses/>.
1515

16-
FROM golang:1.25.5-trixie@sha256:4f9d98ebaa759f776496d850e0439c48948d587b191fc3949b5f5e4667abef90 AS golang-builder
16+
FROM golang:1.25.6-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS golang-builder
1717

1818
ARG GITHUB_SHA
1919
ARG GITHUB_REF_NAME

Dockerfile.scanner

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM golang:1.25.5-trixie@sha256:4f9d98ebaa759f776496d850e0439c48948d587b191fc3949b5f5e4667abef90 AS golang-builder
1+
FROM golang:1.25.6-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS golang-builder
22

33
# set the working directory
44
WORKDIR /app

0 commit comments

Comments
 (0)