From bdb1e0e3728163fffba288da54200e06d92b5b0c Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 20 Nov 2023 12:32:15 +0000 Subject: [PATCH 1/5] fix: address scope of GITHUB_TOKEN in release --- .github/workflows/release-pr.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index d34e913b04..418a9f6a17 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -18,6 +18,8 @@ defaults: jobs: release: + permissions: + contents: read runs-on: ubuntu-22.04 steps: - name: Branch From b2123f25fd7c4be066d5fb0ba7b72e906dbce3ad Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 20 Nov 2023 12:37:01 +0000 Subject: [PATCH 2/5] feat: add auditing or runner egress Add the "Harden Runner" step to all CI jobs, this should help point out the required rules for egress traffic. This can be changed to block all egress with a whitelist of allowed domains in future. --- .github/workflows/build-oss.yml | 5 +++ .github/workflows/build-plus.yml | 5 +++ .github/workflows/ci.yml | 35 +++++++++++++++++++++ .github/workflows/codeql-analysis.yml | 5 +++ .github/workflows/dependabot-hugo.yml | 5 +++ .github/workflows/dependency-review.yml | 5 +++ .github/workflows/dockerhub-description.yml | 5 +++ .github/workflows/fossa.yml | 5 +++ .github/workflows/issues.yaml | 5 +++ .github/workflows/labeler.yml | 5 +++ .github/workflows/lint.yml | 5 +++ .github/workflows/mend.yml | 5 +++ .github/workflows/notifications.yml | 5 +++ .github/workflows/release-pr.yml | 5 +++ .github/workflows/scorecards.yml | 5 +++ .github/workflows/stale.yml | 5 +++ .github/workflows/update-docker-images.yml | 5 +++ .github/workflows/updates-notification.yml | 5 +++ 18 files changed, 120 insertions(+) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index a09964ac6c..45114a15d2 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -32,6 +32,11 @@ jobs: version: ${{ steps.meta.outputs.version }} image_digest: ${{ steps.build-push.outputs.digest }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index a163444db5..594d8772cb 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -34,6 +34,11 @@ jobs: id-token: write # for OIDC login to AWS runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 219e54ceb3..f812aef1cd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,6 +34,11 @@ jobs: k8s_latest: ${{ steps.vars.outputs.k8s_latest }} chart_version: ${{ steps.vars.outputs.chart_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -66,6 +71,11 @@ jobs: runs-on: ubuntu-22.04 needs: checks steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Golang Environment @@ -90,6 +100,11 @@ jobs: id-token: write # for goreleaser/goreleaser-action to sign artifacts issues: write # for goreleaser/goreleaser-action to close milestone steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -170,6 +185,11 @@ jobs: - image: debian-plus type: plus steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -272,6 +292,11 @@ jobs: \"images\": [{\"image\": \"debian\"}, {\"image\": \"debian-plus\"}]}" >> $GITHUB_OUTPUT fi + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -297,6 +322,11 @@ jobs: fail-fast: false matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -399,6 +429,11 @@ jobs: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a50f57c2ef..c5484c66ef 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,6 +38,11 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/dependabot-hugo.yml b/.github/workflows/dependabot-hugo.yml index f9e77fb1f3..2be525c4ca 100644 --- a/.github/workflows/dependabot-hugo.yml +++ b/.github/workflows/dependabot-hugo.yml @@ -20,6 +20,11 @@ jobs: contents: write pull-requests: read steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index cec451e92a..db68d3c80e 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,6 +19,11 @@ jobs: contents: read # for actions/checkout pull-requests: write # for actions/dependency-review-action to post comments steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: "Checkout Repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 62e7eceea7..a623c079da 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -19,6 +19,11 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Modify readme for DockerHub diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 0afb04c62d..d07413822e 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -22,6 +22,11 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml index ed434bf72c..b803a14c33 100644 --- a/.github/workflows/issues.yaml +++ b/.github/workflows/issues.yaml @@ -16,6 +16,11 @@ jobs: contents: read issues: write # for actions/github-script to create comments steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: text id: controller if: contains(github.event.issue.body, 'nginx.ingress.kubernetes.io') diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 21249a07f9..a429ac90fe 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,6 +12,11 @@ jobs: pull-requests: write # for actions/labeler to add labels runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d27a45375c..3b063282c5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -24,6 +24,11 @@ jobs: contents: read pull-requests: read # for golangci-lint-action steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index dcbfc809ed..c50d54cf4b 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -23,6 +23,11 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index f28257b155..4728305a2a 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -26,6 +26,11 @@ jobs: contents: read actions: read # for 8398a7/action-slack steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Data uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 continue-on-error: true diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 418a9f6a17..37fecd1181 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -22,6 +22,11 @@ jobs: contents: read runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Branch id: branch run: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 416d4351b9..04a71129d3 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -28,6 +28,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8ce30056b4..f25ef7765d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,6 +13,11 @@ jobs: pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 0bc10369fa..73c4b2a4e0 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -29,6 +29,11 @@ jobs: kic-tag: ${{ steps.kic.outputs.tag }} versions: ${{ steps.versions.outputs.matrix }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 2f294355c0..6babd848f6 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -28,6 +28,11 @@ jobs: contents: read actions: read # for 8398a7/action-slack steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: From 4df219be74ce6575df38f365eb804f08b58e00d6 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 14:14:03 +0000 Subject: [PATCH 3/5] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .github/workflows/build-plus.yml | 2 +- .github/workflows/ci.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/mend.yml | 2 +- .github/workflows/notifications.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/update-docker-images.yml | 2 +- .github/workflows/updates-notification.yml | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 594d8772cb..a1233d40f9 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -38,7 +38,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f812aef1cd..70f347abcd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -433,7 +433,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index db68d3c80e..29d11b66d5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,7 +23,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: "Checkout Repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index a429ac90fe..05de4b87a9 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -16,7 +16,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index c50d54cf4b..bfe275b0e0 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -27,7 +27,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 4728305a2a..4b1995a015 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -30,7 +30,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Data uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 continue-on-error: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 04a71129d3..d8a68b5431 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,7 +32,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f25ef7765d..c001b1dc26 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -17,7 +17,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 73c4b2a4e0..be6952dc6b 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -33,7 +33,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 6babd848f6..431862286f 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -32,7 +32,7 @@ jobs: uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: From 57ca32349af21e5e2e19f660ab31d5e58e5446ef Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Mon, 20 Nov 2023 14:18:28 +0000 Subject: [PATCH 4/5] fix: tweek permissions for creating PR --- .github/workflows/release-pr.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 37fecd1181..0e74372aa7 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -16,10 +16,13 @@ defaults: run: shell: bash +permissions: + contents: read + jobs: release: permissions: - contents: read + contents: write runs-on: ubuntu-22.04 steps: - name: Harden Runner From c2a6a74c672a6d8a068ee16477fe7e645220b5a8 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 29 Nov 2023 17:07:50 +0000 Subject: [PATCH 5/5] remove harden runner steps --- .github/workflows/build-oss.yml | 5 --- .github/workflows/build-plus.yml | 5 --- .github/workflows/ci.yml | 35 --------------------- .github/workflows/codeql-analysis.yml | 5 --- .github/workflows/dependabot-hugo.yml | 5 --- .github/workflows/dependency-review.yml | 5 --- .github/workflows/dockerhub-description.yml | 5 --- .github/workflows/fossa.yml | 5 --- .github/workflows/issues.yaml | 5 --- .github/workflows/labeler.yml | 5 --- .github/workflows/lint.yml | 5 --- .github/workflows/mend.yml | 5 --- .github/workflows/notifications.yml | 5 --- .github/workflows/release-pr.yml | 5 --- .github/workflows/scorecards.yml | 5 --- .github/workflows/stale.yml | 5 --- .github/workflows/update-docker-images.yml | 5 --- .github/workflows/updates-notification.yml | 5 --- 18 files changed, 120 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index ca83dc242c..d5338f1b1f 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -32,11 +32,6 @@ jobs: version: ${{ steps.meta.outputs.version }} image_digest: ${{ steps.build-push.outputs.digest }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index fd32de7c98..cdefd8a017 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -34,11 +34,6 @@ jobs: id-token: write # for OIDC login to AWS runs-on: ubuntu-22.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index aca5aa4b3b..04eea8a0d9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,11 +34,6 @@ jobs: k8s_latest: ${{ steps.vars.outputs.k8s_latest }} chart_version: ${{ steps.vars.outputs.chart_version }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -71,11 +66,6 @@ jobs: runs-on: ubuntu-22.04 needs: checks steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Golang Environment @@ -100,11 +90,6 @@ jobs: id-token: write # for goreleaser/goreleaser-action to sign artifacts issues: write # for goreleaser/goreleaser-action to close milestone steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -185,11 +170,6 @@ jobs: - image: debian-plus type: plus steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -292,11 +272,6 @@ jobs: \"images\": [{\"image\": \"debian\"}, {\"image\": \"debian-plus\"}]}" >> $GITHUB_OUTPUT fi - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -322,11 +297,6 @@ jobs: fail-fast: false matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -429,11 +399,6 @@ jobs: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c3d8bb14c8..49afffe615 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -38,11 +38,6 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/dependabot-hugo.yml b/.github/workflows/dependabot-hugo.yml index 2be525c4ca..f9e77fb1f3 100644 --- a/.github/workflows/dependabot-hugo.yml +++ b/.github/workflows/dependabot-hugo.yml @@ -20,11 +20,6 @@ jobs: contents: write pull-requests: read steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Fetch Dependabot metadata id: dependabot-metadata uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 543d21e125..3846d51ae2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,11 +19,6 @@ jobs: contents: read # for actions/checkout pull-requests: write # for actions/dependency-review-action to post comments steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: "Checkout Repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index a623c079da..62e7eceea7 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -19,11 +19,6 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Modify readme for DockerHub diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index d07413822e..0afb04c62d 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -22,11 +22,6 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml index bbc3cec4b5..21156f1785 100644 --- a/.github/workflows/issues.yaml +++ b/.github/workflows/issues.yaml @@ -16,11 +16,6 @@ jobs: contents: read issues: write # for actions/github-script to create comments steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: text id: controller if: contains(github.event.issue.body, 'nginx.ingress.kubernetes.io') diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 05de4b87a9..21249a07f9 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,11 +12,6 @@ jobs: pull-requests: write # for actions/labeler to add labels runs-on: ubuntu-22.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3b063282c5..d27a45375c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -24,11 +24,6 @@ jobs: contents: read pull-requests: read # for golangci-lint-action steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index bfe275b0e0..dcbfc809ed 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -23,11 +23,6 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index e78178298c..8c2a599a33 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -26,11 +26,6 @@ jobs: contents: read actions: read # for 8398a7/action-slack steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Data uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 continue-on-error: true diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 92b03adcfc..6f52340813 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -25,11 +25,6 @@ jobs: contents: write runs-on: ubuntu-22.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Branch id: branch run: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 1af7639375..837b3189ae 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -28,11 +28,6 @@ jobs: # actions: read steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c001b1dc26..8ce30056b4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,11 +13,6 @@ jobs: pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-22.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index be6952dc6b..0bc10369fa 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -29,11 +29,6 @@ jobs: kic-tag: ${{ steps.kic.outputs.tag }} versions: ${{ steps.versions.outputs.matrix }} steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 431862286f..2f294355c0 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -28,11 +28,6 @@ jobs: contents: read actions: read # for 8398a7/action-slack steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit - - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: