From e3381b1c674b6e2e4ee9ea28b6ad82bb6db4f16b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 10 May 2024 16:24:54 -0400 Subject: [PATCH 1/4] Add a diagnostics job to the `CodeQL` workflow This mirrors the diagnostics job in the `build` workflow. --- .github/workflows/codeql-analysis.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b62d107..35ba9d1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,7 +20,26 @@ on: - cron: '0 14 * * 6' jobs: + diagnostics: + name: Run diagnostics + runs-on: ubuntu-latest + steps: + # Note that a duplicate of this step must be added at the top of + # each job. + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - id: github-status + name: Check GitHub status + uses: crazy-max/ghaction-github-status@v4 + - id: dump-context + name: Dump context + uses: crazy-max/ghaction-dump-context@v2 analyze: + needs: + - diagnostics name: Analyze runs-on: ubuntu-latest permissions: From 34a7da5c2f6991b6377a249b1670dcf26d04ca76 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 10 May 2024 16:28:24 -0400 Subject: [PATCH 2/4] Use step-security/harden-runner in the `Analyze` job Since this Action should be used in every job we need to use it here. --- .github/workflows/codeql-analysis.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 35ba9d1..601e352 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,9 +38,9 @@ jobs: name: Dump context uses: crazy-max/ghaction-dump-context@v2 analyze: + name: Analyze needs: - diagnostics - name: Analyze runs-on: ubuntu-latest permissions: # required for all workflows @@ -56,6 +56,12 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - id: harden-runner + name: Harden the runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 From 0227a71775c655e8ed6f3a36c70b8f297b97c685 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 10 May 2024 16:29:37 -0400 Subject: [PATCH 3/4] Remove unnecessary quotes in the `CodeQL` job --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 601e352..d029a34 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,7 +4,7 @@ # # You may wish to alter this file to override the set of languages analyzed, # or to provide custom queries or build logic. -name: "CodeQL" +name: CodeQL on: push: From 4dabc523d2ec5196600b80e5ec509a3d2fa271e3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 13 May 2024 17:28:51 -0400 Subject: [PATCH 4/4] Add a disabled ignore directive for github/codeql-action Once enabled downstream this will ensure that downstream projects will receive updates to this dependency from the upstream skeleton (which will get updated by dependabot) instead of in the downstream repository. --- .github/dependabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f1dfea1..2398344 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,7 @@ updates: - dependency-name: step-security/harden-runner # # Managed by cisagov/skeleton-aws-lambda-python # - dependency-name: actions/upload-artifact + # - dependency-name: github/codeql-action package-ecosystem: github-actions schedule: interval: weekly