chore: [StepSecurity] Apply security best practices #2123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

step-security-bot wants to merge 6 commits into cloudposse:main from step-security-bot:chore/GHA-012327-stepsecurity-remediation

.devcontainer/Dockerfile

-Original file line number
+Diff line change
@@ -1,12 +1,12 @@
-    FROM golang:1.26.0 AS confetty
+    FROM golang:1.26.0@sha256:9edf71320ef8a791c4c33ec79f90496d641f306a91fb112d3d060d5c1cee4e20 AS confetty
     # Set the working directory
     WORKDIR /app
     # Install the confetty application
     RUN go install github.com/maaslalani/confetty@latest
-    FROM mcr.microsoft.com/vscode/devcontainers/base:debian
+    FROM mcr.microsoft.com/vscode/devcontainers/base:debian@sha256:a30da48cdf5f9144ff7f2156622e701e752fc258d77ca7bb00120624f1a95938
     # Copy the binary from the builder stage
     COPY --from=confetty /go/bin/confetty /usr/local/bin/confetty
@@ Expand Down @@

.github/actions/go-version-check/action.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -72,7 +72,7 @@ runs: @@
         - name: Comment on PR
           if: steps.compare.outputs.changed == 'true'
-          uses: actions/github-script@v7
+          uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
           with:
             github-token: ${{ inputs.token }}
             script: |
@@ Expand Down @@

.github/actions/pr-sizer/action.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -69,7 +69,7 @@ runs: @@
       using: 'composite'
       steps:
         - name: Label PR based on size
-          uses: actions/github-script@v8
+          uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
           with:
             github-token: ${{ github.token }}
             script: |
@@ Expand Down @@

.github/actions/remove-dependabot-semver-labels/action.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -15,7 +15,7 @@ runs: @@
       using: 'composite'
       steps:
         - name: Remove auto-added semver labels
-          uses: actions/github-script@v8
+          uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
           with:
             github-token: ${{ github.token }}
             script: |
@@ Expand Down @@

.github/dependabot.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,3 +57,58 @@ updates: @@
       ignore:
         - dependency-name: "*"
           update-types: ["version-update:semver-major"]
+    - package-ecosystem: docker
+      directory: /.devcontainer
+      schedule:
+        interval: daily
+    - package-ecosystem: docker
+      directory: /
+      schedule:
+        interval: daily
+    - package-ecosystem: docker
+      directory: /demo/screenshots
+      schedule:
+        interval: daily
+    - package-ecosystem: docker
+      directory: /examples/devcontainer-build
+      schedule:
+        interval: daily
+    - package-ecosystem: docker
+      directory: /examples/quick-start-advanced
+      schedule:
+        interval: daily
+    - package-ecosystem: gomod
+      directory: /tools/gomodcheck
+      schedule:
+        interval: daily
+    - package-ecosystem: gomod
+      directory: /tools/lintroller
+      schedule:
+        interval: daily
+    - package-ecosystem: npm
+      directory: /website/plugins/custom-loaders
+      schedule:
+        interval: daily
+    - package-ecosystem: npm
+      directory: /website/plugins/docusaurus-plugin-llms-txt
+      schedule:
+        interval: daily
+    - package-ecosystem: npm
+      directory: /website/plugins/fetch-latest-release
+      schedule:
+        interval: daily
+    - package-ecosystem: npm
+      directory: /website/plugins/glossary-tooltips
+      schedule:
+        interval: daily

.github/workflows/autofix.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -20,7 +20,7 @@ jobs: @@
           actions: write
         timeout-minutes: 15
         steps:
-          - uses: runs-on/action@v2
+          - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # v2.0.3
           - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
             with:
               persist-credentials: false
@@ Expand Down @@

.github/workflows/build.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -29,7 +29,7 @@ jobs:
  
        needs: release

        environment: release

        steps:

          - uses: mislav/bump-homebrew-formula-action@v3

          - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6

            with:

              # A PR will be sent to github.com/Homebrew/homebrew-core to update this formula:

              formula-name: atmos

    @@ -44,11 +44,11 @@ jobs:
  
        if: ${{ github.event.release.prerelease == false }}

        steps:

          - name: "Checkout source code at current commit"

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          - name: "Docker Build"

            id: build

            uses: cloudposse/github-action-docker-build-push@main

            uses: cloudposse/github-action-docker-build-push@1d99c3977df15019f21658e2e7d4a2a8818eeb0a # main

            with:

              registry: ghcr.io

              organization: "${{ github.event.repository.owner.login }}"

.github/workflows/changelog-check.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,7 +9,7 @@ jobs: @@
         runs-on: ubuntu-latest
         steps:
           - name: Checkout code
-            uses: actions/checkout@v4
+            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
             with:
               fetch-depth: 0
@@ Expand Down @@

.github/workflows/claude.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -14,7 +14,7 @@ jobs:
  
        runs-on: ubuntu-latest

        steps:

          - name: Checkout code

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          - name: Check modified CLAUDE.md size

            uses: ./.github/actions/check-claude-md-size

    @@ -28,7 +28,7 @@ jobs:
  
        runs-on: ubuntu-latest

        steps:

          - name: Checkout code

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          - name: Check modified agent files

            uses: ./.github/actions/check-claude-md-size

.github/workflows/clear-cache.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,9 @@ on: @@
         types:
           - closed
+    permissions:
+      contents: read
     jobs:
       cleanup:
         runs-on: ubuntu-latest
@@ Expand Down @@

.github/workflows/codeql.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -11,6 +11,9 @@ on:
  
        # runs on 19:17 every Tuesday

        - cron: "27 19 * * 2"

    permissions:

      contents: read

    jobs:

      analyze:

        name: Analyze

    @@ -28,11 +31,11 @@ jobs:
  
        steps:

          - name: Checkout repository

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          # Initializes the CodeQL tools for scanning.

          - name: Initialize CodeQL

            uses: github/codeql-action/init@v4

            uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

            with:

              languages: ${{ matrix.language }}

              # If you wish to specify custom queries, you can do so here or in a config file.

    @@ -45,7 +48,7 @@ jobs:
  
          # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).

          # If this step fails, then you should remove it and run the build manually (see below)

          - name: Autobuild

            uses: github/codeql-action/autobuild@v4

            uses: github/codeql-action/autobuild@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

          # ℹ️ Command-line programs to run using the OS shell.

          # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

    @@ -58,7 +61,7 @@ jobs:
  
          #     ./location_of_script_within_repo/buildscript.sh

          - name: Perform CodeQL Analysis

            uses: github/codeql-action/analyze@v4

            uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

            with:

              category: "/language:${{matrix.language}}"

    @@ -83,15 +86,15 @@ jobs:
  
          security-events: write

        steps:

          - name: Check out code into the Go module directory

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

            with:

              fetch-depth: 0

          # golangci-lint-action@v4.0.0+ requires explicit Go setup

          # Without this step, the action may fail intermittently with

          # "could not load export data" errors due to cache corruption

          - name: Set up Go

            uses: actions/setup-go@v5

            uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0

            with:

              go-version-file: go.mod

              cache: true

    @@ -152,7 +155,7 @@ jobs:
  
          # - t.Setenv in defer blocks (should use os.Setenv)

          # will appear in the SARIF output and GitHub Security tab.

          - name: Run golangci-lint with lintroller plugin

            uses: golangci/golangci-lint-action@v8.0.0

            uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0

            with:

              version: 101ccaca0df22b2e36dd917ed5d0be423baa6298

              install-mode: none

    @@ -163,7 +166,7 @@ jobs:
  
          - name: Upload filtered SARIF results

            if: always()

            uses: github/codeql-action/upload-sarif@v4

            uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4

            with:

              sarif_file: golangci-lint.sarif

    @@ -176,7 +179,7 @@ jobs:
  
          issues: write

        steps:

          # Checkout is required for local composite actions

          - uses: actions/checkout@v4

          - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

            if: github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]'

          # Remove Dependabot's auto-added semver labels

    @@ -188,7 +191,7 @@ jobs:
  
          # Check for required semver labels

          # Every PR must have exactly one: major, minor, patch, or no-release

          - uses: mheap/github-action-required-labels@v5

          - uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1

            with:

              mode: exactly

              count: 1

.github/workflows/dependency-review.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -19,15 +19,15 @@ jobs:
  
          - private=false

        steps:

          - name: Checkout code

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          - name: Set up Go

            uses: actions/setup-go@v5

            uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0

            with:

              go-version-file: go.mod

          - name: Dependency Review

            uses: actions/dependency-review-action@v4

            uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3

            with:

              # Disable OpenSSF scorecard to reduce summary size (prevents 1024k limit errors)

              show-openssf-scorecard: false

.github/workflows/go-version-check.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -16,7 +16,7 @@ jobs: @@
         runs-on: ubuntu-latest
         steps:
           - name: Checkout PR branch
-            uses: actions/checkout@v4
+            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
             with:
               fetch-depth: 0
@@ Expand Down @@

.github/workflows/link-check.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -22,10 +22,10 @@ jobs:
  
        steps:

          - name: Checkout Code

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

          - name: Check links with lychee

            uses: lycheeverse/lychee-action@v2

            uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0

            with:

              args: --config lychee.toml --root-dir ${{ github.workspace }} '**/*.md'

              fail: true

.github/workflows/pr-size-labeler.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,9 @@ on: @@
       pull_request_target:
         types: [opened, synchronize, reopened]
+    permissions:
+      contents: read
     jobs:
       label:
         runs-on: ubuntu-latest
@@ Expand All / @@ -16,7 +19,7 @@ jobs: @@
           issues: write
         steps:
           - name: Checkout repository
-            uses: actions/checkout@v4
+            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
             with:
               # Checkout the base branch (not the PR head) for security.
               # We only need the action definition from .github/actions/pr-sizer/
@@ Expand Down @@

.github/workflows/pre-commit.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -26,13 +26,13 @@ jobs:
  
        steps:

          - name: Checkout Code

            uses: actions/checkout@v4

            uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

            with:

              # Fetch full history for proper diff checking

              fetch-depth: 0

          - name: Set up Go

            uses: actions/setup-go@v5

            uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0

            with:

              go-version-file: go.mod

              cache: true

    @@ -54,12 +54,12 @@ jobs:
  
              go mod download

          - name: Set up Python

            uses: actions/setup-python@v5

            uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0

            with:

              python-version: ${{ env.PYTHON_VERSION }}

          - name: Run CloudPosse pre-commit action

            uses: cloudposse/github-action-pre-commit@v4.0.0

            uses: cloudposse/github-action-pre-commit@828247764461bc41b2bd267e24d76e91a279b093 # v4.0.0

            with:

              # Run against files changed in the PR only

              # This prevents formatting/checking unrelated files

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: [StepSecurity] Apply security best practices #2123

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore: [StepSecurity] Apply security best practices #2123

Are you sure you want to change the base?

Uh oh!

chore: [StepSecurity] Apply security best practices #2123

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!