Skip to content

Commit 98fc0e1

Browse files
staaldraadjgoux
andauthored
chore(ci): gh action hardening (#5388)
## What kind of change does this PR introduce? chore ## Additional context Applies most of zizmor's hardening suggestions. Brings some action usage up to date (client-id instead of app-id). And does some action pinning. Co-authored-by: Julien Goux <hi@jgoux.dev>
1 parent 0684ae6 commit 98fc0e1

17 files changed

Lines changed: 139 additions & 63 deletions

.github/actions/setup/action.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,21 +11,21 @@ runs:
1111

1212
- name: Restore Bun toolchain cache
1313
id: bun-toolchain-cache
14-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
14+
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
1515
with:
1616
path: /opt/hostedtoolcache/bun
1717
key: bun-toolchain-${{ runner.os }}-${{ runner.arch }}-${{ env.BUN_VERSION }}
1818

1919
- name: Install Bun
2020
id: install-bun
21-
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
21+
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
2222
continue-on-error: true
2323
with:
2424
bun-version: ${{ env.BUN_VERSION }}
2525

2626
- name: Install Bun (fallback with retries)
2727
if: steps.install-bun.outcome == 'failure'
28-
uses: nick-fields/retry@v3
28+
uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
2929
with:
3030
timeout_minutes: 3
3131
max_attempts: 5
@@ -39,7 +39,7 @@ runs:
3939
run: bun --version
4040

4141
- name: Install Node.js
42-
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
42+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
4343
with:
4444
node-version-file: .nvmrc
4545
package-manager-cache: false
@@ -49,7 +49,7 @@ runs:
4949
run: npm install --global --force corepack && corepack enable
5050

5151
- name: Configure dependency cache
52-
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
52+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
5353
with:
5454
cache: pnpm
5555

.github/dependabot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ updates:
99
actions-major:
1010
patterns:
1111
- "*"
12+
cooldown:
13+
default-days: 7
1214
- package-ecosystem: "gomod"
1315
directories:
1416
- "/"
@@ -23,6 +25,8 @@ updates:
2325
- patch
2426
exclude-patterns:
2527
- github.com/compose-spec/compose-go/v2
28+
cooldown:
29+
default-days: 7
2630
- package-ecosystem: "npm"
2731
directory: "/"
2832
schedule:
@@ -32,6 +36,8 @@ updates:
3236
npm-major:
3337
patterns:
3438
- "*"
39+
cooldown:
40+
default-days: 7
3541
- package-ecosystem: "docker"
3642
directory: "/apps/cli-go/pkg/config/templates"
3743
schedule:
@@ -49,3 +55,5 @@ updates:
4955
- dependency-name: "axllent/mailpit"
5056
- dependency-name: "darthsim/imgproxy"
5157
- dependency-name: "timberio/vector"
58+
cooldown:
59+
default-days: 7

.github/workflows/automerge.yml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,14 @@ name: Dependabot auto-merge
44
on: pull_request
55

66
permissions:
7-
pull-requests: write
8-
contents: write
7+
contents: read
98

109
jobs:
1110
dependabot:
1211
runs-on: ubuntu-latest
1312
# Checking the actor will prevent your Action run failing on non-Dependabot
1413
# PRs but also ensures that it only does work for Dependabot PRs.
15-
if: ${{ github.actor == 'dependabot[bot]' }}
14+
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
1615
steps:
1716
# This first step will fail if there's no metadata and so the approval
1817
# will not occur.
@@ -27,20 +26,24 @@ jobs:
2726
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
2827
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
2928
with:
30-
app-id: ${{ secrets.APP_ID }}
29+
client-id: ${{ vars.GH_APP_CLIENT_ID }}
3130
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
31+
permission-pull-requests: write
32+
permission-contents: write
3233

3334
# Here the PR gets approved.
3435
- name: Approve a PR
3536
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
36-
run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
37+
run: gh pr review --approve "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
3738
env:
3839
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
40+
GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}
3941

4042
# Finally, this sets the PR to allow auto-merging for patch and minor
4143
# updates if all checks pass
4244
- name: Enable auto-merge for Dependabot PRs
4345
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
44-
run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
46+
run: gh pr merge --auto --squash "${GITHUB_EVENT_PULL_REQUEST_HTML_URL}"
4547
env:
46-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
48+
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
49+
GITHUB_EVENT_PULL_REQUEST_HTML_URL: ${{ github.event.pull_request.html_url }}

.github/workflows/cli-go-api-sync.yml

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,18 @@ on:
55
types:
66
- api-sync
77
workflow_dispatch: # allow manual triggering
8+
89
permissions:
9-
contents: write
10-
pull-requests: write
10+
contents: read
1111

1212
jobs:
1313
sync:
1414
name: Sync API Types
1515
runs-on: blacksmith-2vcpu-ubuntu-2404
1616
steps:
1717
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
18+
with:
19+
persist-credentials: false
1820

1921
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
2022
with:
@@ -39,8 +41,10 @@ jobs:
3941
id: app-token
4042
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
4143
with:
42-
app-id: ${{ secrets.APP_ID }}
44+
client-id: ${{ vars.GH_APP_CLIENT_ID }}
4345
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
46+
permission-pull-requests: write
47+
permission-contents: write
4448

4549
- name: Create Pull Request
4650
if: steps.check.outputs.has_changes == 'true'
@@ -60,15 +64,17 @@ jobs:
6064
- name: Approve a PR
6165
if: steps.check.outputs.has_changes == 'true' && steps.cpr.outputs.pull-request-operation == 'created'
6266
continue-on-error: true
63-
run: gh pr review --approve --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}"
67+
run: gh pr review --approve --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
6468
env:
65-
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
69+
GH_TOKEN: ${{ steps.app-token.outputs.token }}
70+
STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
6671

6772
- name: Enable Pull Request Automerge
6873
if: steps.check.outputs.has_changes == 'true'
69-
run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${{ steps.cpr.outputs.pull-request-number }}"
74+
run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
7075
env:
7176
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
77+
STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
7278
defaults:
7379
run:
7480
working-directory: apps/cli-go

.github/workflows/cli-go-ci.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ jobs:
2222
runs-on: blacksmith-8vcpu-ubuntu-2404
2323
steps:
2424
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25+
with:
26+
persist-credentials: false
2527

2628
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
2729
with:
@@ -59,6 +61,8 @@ jobs:
5961
runs-on: ubuntu-latest
6062
steps:
6163
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
64+
with:
65+
persist-credentials: false
6266

6367
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
6468
with:
@@ -78,6 +82,8 @@ jobs:
7882
runs-on: ubuntu-latest
7983
steps:
8084
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
85+
with:
86+
persist-credentials: false
8187
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
8288
with:
8389
go-version-file: apps/cli-go/go.mod
@@ -102,6 +108,8 @@ jobs:
102108
runs-on: ubuntu-latest
103109
steps:
104110
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
111+
with:
112+
persist-credentials: false
105113
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
106114
with:
107115
go-version-file: apps/cli-go/go.mod
@@ -117,6 +125,8 @@ jobs:
117125
runs-on: ubuntu-latest
118126
steps:
119127
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
128+
with:
129+
persist-credentials: false
120130

121131
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
122132
with:

.github/workflows/cli-go-codeql.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,8 @@ jobs:
6464
steps:
6565
- name: Checkout repository
6666
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
67+
with:
68+
persist-credentials: false
6769

6870
# Initializes the CodeQL tools for scanning.
6971
- name: Initialize CodeQL

.github/workflows/cli-go-mirror-image.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ on:
99
image:
1010
required: true
1111
type: string
12+
secrets:
13+
PROD_AWS_ROLE:
14+
required: true
1215
workflow_dispatch:
1316
inputs:
1417
image:
@@ -26,8 +29,9 @@ jobs:
2629
runs-on: ubuntu-latest
2730
steps:
2831
- id: strip
32+
env:
33+
TAG: ${{ github.event.client_payload.image || inputs.image }}
2934
run: |
30-
TAG=${{ github.event.client_payload.image || inputs.image }}
3135
echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
3236
- name: configure aws credentials
3337
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0

.github/workflows/cli-go-mirror.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ jobs:
2828
curr: ${{ steps.curr.outputs.tags }}
2929
steps:
3030
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
31+
with:
32+
persist-credentials: false
3133
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
3234
with:
3335
go-version-file: apps/cli-go/go.mod
@@ -55,10 +57,11 @@ jobs:
5557
matrix:
5658
src: ${{ fromJson(needs.setup.outputs.tags) }}
5759
# Call workflow explicitly because events from actions cannot trigger more actions
58-
uses: ./.github/workflows/mirror-image.yml
60+
uses: ./.github/workflows/cli-go-mirror-image.yml
5961
with:
6062
image: ${{ matrix.src }}
61-
secrets: inherit
63+
secrets:
64+
PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
6265
defaults:
6366
run:
6467
working-directory: apps/cli-go

.github/workflows/cli-go-pg-prove.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,10 +86,11 @@ jobs:
8686
- settings
8787
- merge_manifest
8888
# Call workflow explicitly because events from actions cannot trigger more actions
89-
uses: ./.github/workflows/mirror-image.yml
89+
uses: ./.github/workflows/cli-go-mirror-image.yml
9090
with:
9191
image: ${{ needs.settings.outputs.image_tag }}
92-
secrets: inherit
92+
secrets:
93+
PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
9394
defaults:
9495
run:
9596
working-directory: apps/cli-go

.github/workflows/cli-go-publish-migra.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -86,10 +86,11 @@ jobs:
8686
- settings
8787
- merge_manifest
8888
# Call workflow explicitly because events from actions cannot trigger more actions
89-
uses: ./.github/workflows/mirror-image.yml
89+
uses: ./.github/workflows/cli-go-mirror-image.yml
9090
with:
9191
image: ${{ needs.settings.outputs.image_tag }}
92-
secrets: inherit
92+
secrets:
93+
PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
9394
defaults:
9495
run:
9596
working-directory: apps/cli-go

0 commit comments

Comments
 (0)