ci: harden all workflows against CI best practices checklist (#57)

- Add step-security/harden-runner to all 17 jobs (egress-policy: audit)
- Add merge_group trigger to ci.yml and security.yml for merge queue
- Add workflow_dispatch to auto-approve, dependabot-auto-merge,
  post-merge, and pr-title workflows
- Add concurrency groups to auto-approve and post-merge workflows
- Create composite action for Node.js setup (deduplicates 5 jobs)
- Fix github.actor to github.event.pull_request.user.login in
  auto-approve, dependabot-auto-merge, and pr-title workflows
- Move stale.yml write permissions from workflow to job level
- Add links.yml to its own path filters
- Add CodeQL analysis to ruleset required status checks

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/actions/setup-node/action.yml

@@ -0,0 +1,15 @@
+name: Setup Node.js
+description: Set up Node.js from .nvmrc and install dependencies
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      with:
+        node-version-file: .nvmrc
+        cache: npm
+
+    - name: Install dependencies
+      run: npm ci
+      shell: bash

.github/workflows/auto-approve.yml

@@ -3,10 +3,15 @@ name: Auto-approve
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+  workflow_dispatch:
 
 permissions:
   contents: read
 
+concurrency:
+  group: auto-approve-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
@@ -15,9 +20,14 @@ jobs:
       contents: write
       pull-requests: write
     if: >
-      github.actor == 'SebTardif' ||
-      github.actor == 'dependabot[bot]'
+      github.event.pull_request.user.login == 'SebTardif' ||
+      github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
 
       - name: Enable auto-merge

.github/workflows/ci.yml

@@ -3,6 +3,7 @@ name: ci
 on:
   push:
   pull_request:
+  merge_group:
   workflow_dispatch:
 
 permissions:
@@ -21,19 +22,18 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 10
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version-file: .nvmrc
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
+        uses: ./.github/actions/setup-node
 
       - name: Run tests
         run: npm test
@@ -42,19 +42,18 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version-file: .nvmrc
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
+        uses: ./.github/actions/setup-node
 
       - name: Compile
         run: npm run compile
@@ -67,19 +66,18 @@ jobs:
     runs-on: macos-latest
     timeout-minutes: 15
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-        with:
-          node-version-file: .nvmrc
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
+        uses: ./.github/actions/setup-node
 
       - name: Compile extension and tests
         run: npm run compile && npm run compile-tests

.github/workflows/dco.yml

@@ -19,6 +19,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:

.github/workflows/dependabot-auto-merge.yml

@@ -2,23 +2,29 @@ name: Dependabot Auto-Merge
 
 on:
   pull_request_target:
+  workflow_dispatch:
 
 permissions: {}
 
 concurrency:
-  group: dependabot-auto-merge-${{ github.event.pull_request.number }}
+  group: dependabot-auto-merge-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   auto-merge:
     name: Auto-merge Dependabot PRs
     runs-on: ubuntu-latest
     timeout-minutes: 5
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
     permissions:
       contents: write
       pull-requests: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Fetch Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0

.github/workflows/fossa.yml

@@ -21,6 +21,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check API key
         id: check
         run: |

.github/workflows/links.yml

@@ -6,10 +6,12 @@ on:
     paths:
       - "**.md"
       - "lychee.toml"
+      - ".github/workflows/links.yml"
   pull_request:
     paths:
       - "**.md"
       - "lychee.toml"
+      - ".github/workflows/links.yml"
   schedule:
     - cron: "0 6 * * 1"
   workflow_dispatch:
@@ -27,6 +29,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:

.github/workflows/post-merge.yml

@@ -3,9 +3,14 @@ name: Post-merge CI trigger
 on:
   pull_request:
     types: [closed]
+  workflow_dispatch:
 
 permissions: {}
 
+concurrency:
+  group: post-merge-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   trigger:
     name: Trigger CI on main
@@ -15,6 +20,11 @@ jobs:
     permissions:
       actions: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Trigger workflows on main
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-title.yml

@@ -3,21 +3,27 @@ name: Semantic PR title
 on:
   pull_request_target:
     types: [opened, edited, synchronize]
+  workflow_dispatch:
 
 permissions:
   pull-requests: read
 
 concurrency:
-  group: pr-title-${{ github.event.pull_request.number }}
+  group: pr-title-${{ github.event.pull_request.number || github.run_id }}
   cancel-in-progress: true
 
 jobs:
   lint:
     name: Validate PR title
-    if: github.actor != 'dependabot[bot]'
+    if: github.event.pull_request.user.login != 'dependabot[bot]'
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check PR title
         uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:

.github/workflows/scorecard.yml

@@ -23,6 +23,11 @@ jobs:
       security-events: write
       id-token: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with: