diff --git a/.github/workflows/automatic-release.yml b/.github/workflows/automatic-release.yml index c7f065600..566f9884b 100644 --- a/.github/workflows/automatic-release.yml +++ b/.github/workflows/automatic-release.yml @@ -12,9 +12,22 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + archive.ubuntu.com:80 + auth.docker.io:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 + ppa.launchpadcontent.net:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + registry.yarnpkg.com:443 + security.ubuntu.com:80 + uploads.github.com:443 - name: Checkout uses: "actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 43d4df46b..5cced4512 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,10 +1,7 @@ name: "CodeQL" on: - push: - branches: [ 2.2.x ] pull_request: - branches: [ 2.2.x ] schedule: - cron: '26 23 * * 2' @@ -27,9 +24,13 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Checkout repository uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f @@ -50,21 +51,38 @@ jobs: actions: read # for github/codeql-action/init to get workflow details contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/autobuild to send a status report - + name: Qodana runs-on: ubuntu-latest - + steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.qodana.cloud:443 + github.com:443 + objects.githubusercontent.com:443 + prod.fus.aws.intellij.net:443 + production.cloudflare.docker.com:443 + qc-results-prod.s3.eu-west-1.amazonaws.com:443 + raw.githubusercontent.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + registry.npmjs.org:443 + resources.jetbrains.com:443 + schemastore.org:443 - name: Checkout repository uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f - name: 'Qodana Scan' - uses: JetBrains/qodana-action@main + uses: JetBrains/qodana-action@61b94e7e3a716dcb9e2030cfd79cd46149d56c26 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} + + - uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d + with: + sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml index 2e3daad22..19dcf3266 100644 --- a/.github/workflows/cs.yml +++ b/.github/workflows/cs.yml @@ -13,9 +13,14 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f @@ -50,9 +55,16 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 + raw.githubusercontent.com:443 + repo.packagist.org:443 - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f @@ -80,9 +92,14 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + registry.yarnpkg.com:443 - name: Checkout Code uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index eada91bdf..000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: "Release" - -on: - push: - tags: - - "*" - -env: - SOLIDINVOICE_ENV: prod - SOLIDINVOICE_DEBUG: 0 - -permissions: # added using https://github.com/step-security/secure-workflows - contents: read - -jobs: - build: - permissions: - contents: write # for actions/create-release to create a release - name: Upload Release Asset - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - uses: FranzDiebold/github-env-vars-action@5be1a823971b42aea2115f6d742484ab9a314bb6 - - - name: Checkout code - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f - with: - path: solidinvoice - - - name: Install PHP - uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d - with: - coverage: none - extensions: curl, gd, intl, opcache, json, openssl, pdo, soap, xsl, :xdebug - ini-values: memory_limit=-1 - php-version: 7.4 - - - name: Install PHP dependencies - run: composer install --ansi --no-interaction --no-progress --no-suggest --prefer-dist --no-dev -o -a - working-directory: solidinvoice - - - name: Set ENV Variables - run: | - echo SOLIDINVOICE_ENV=$SOLIDINVOICE_ENV > .env - echo SOLIDINVOICE_DEBUG=$SOLIDINVOICE_DEBUG >> .env - working-directory: solidinvoice - - - name: Install JS dependencies - run: yarn install - working-directory: solidinvoice - - - name: Build Assets - run: yarn build - working-directory: solidinvoice - - - name: Cleanup files - run: rm -Rf node_modules vendor-bin .github .git - working-directory: solidinvoice - - - name: Create release - id: create_release - uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: ${{ env.CI_REF_NAME }} - draft: true - body: TODO - - - name: Create ZIP distribution - run: zip -r SolidInvoice-${{ env.CI_REF_NAME }}.zip ./ - - - name: List files - run: ls -la - - - name: Upload ZIP distribution - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./SolidInvoice-${{ env.CI_REF_NAME }}.zip - asset_name: SolidInvoice-${{ env.CI_REF_NAME }}.zip - asset_content_type: application/zip - - - name: Delete ZIP File - run: rm -Rf SolidInvoice-${{ env.CI_REF_NAME }}.zip - - - name: Create TAR distribution - run: tar -zcvf SolidInvoice-${{ env.CI_REF_NAME }}.tar.gz ./solidinvoice - - - name: Upload TAR distribution - uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./SolidInvoice-${{ env.CI_REF_NAME }}.tar.gz - asset_name: SolidInvoice-${{ env.CI_REF_NAME }}.tar.gz - asset_content_type: application/gzip - - - name: Delete TAR File - run: rm -Rf SolidInvoice-${{ env.CI_REF_NAME }}.tar.gz diff --git a/.github/workflows/security-checker.yml b/.github/workflows/security-checker.yml index f5136ea31..7b289b27c 100644 --- a/.github/workflows/security-checker.yml +++ b/.github/workflows/security-checker.yml @@ -10,9 +10,12 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f - uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5 diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 52a0137c0..494bcac42 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -14,9 +14,14 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 - name: Checkout uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f @@ -48,23 +53,3 @@ jobs: - name: Run PHPStan run: bin/phpstan analyse -c phpstan.test.neon - - qodana: - name: Qodana - - runs-on: ubuntu-latest - - steps: - - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f - - - name: 'Qodana Scan' - uses: JetBrains/qodana-action@7afb26c0c2f325c0d5c21ea1f617c79c7f899337 - - - uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d - with: - sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 0ff47eec8..9a13c8742 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -46,9 +46,21 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + chromedriver.storage.googleapis.com:443 + codecov.io:443 + coveralls.io:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 + registry.yarnpkg.com:443 + repo.packagist.org:443 + storage.googleapis.com:443 + uploader.codecov.io:443 - name: Checkout uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f