From 66cadf962311459fa5a20e1c8a9b557d68c2a1e7 Mon Sep 17 00:00:00 2001 From: Julian Hofer Date: Mon, 17 Mar 2025 15:16:01 +0100 Subject: [PATCH] ci: pin github actions - pin external actions - enforce sha also in the future For motivation see https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised and https://michaelheap.com/pin-your-github-actions/ --- .github/workflows/coverage.yml | 4 ++-- .github/workflows/enforce-sha.yaml | 15 +++++++++++++++ .github/workflows/release.yml | 10 +++++----- .github/workflows/rust-linting.yml | 10 +++++----- .github/workflows/rust-tests.yml | 6 +++--- .github/workflows/typos.yml | 4 ++-- 6 files changed, 32 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/enforce-sha.yaml diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 62dc202..81ad97b 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -10,14 +10,14 @@ jobs: options: --security-opt seccomp=unconfined steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - name: Generate code coverage run: | cargo +nightly tarpaulin --verbose --all-features --workspace --timeout 120 --out xml - name: Upload to codecov.io - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2 with: token: ${{secrets.CODECOV_TOKEN}} fail_ci_if_error: true diff --git a/.github/workflows/enforce-sha.yaml b/.github/workflows/enforce-sha.yaml new file mode 100644 index 0000000..3a57dbb --- /dev/null +++ b/.github/workflows/enforce-sha.yaml @@ -0,0 +1,15 @@ +on: push + +name: Security + +jobs: + ensure-pinned-actions: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Ensure SHA pinned actions + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@25ed13d0628a1601b4b44048e63cc4328ed03633 # v3 + with: + allowlist: | + - prefix-dev/ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7495190..82952d1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,10 +19,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Install Rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 with: toolchain: stable target: ${{ matrix.target }} @@ -35,7 +35,7 @@ jobs: run: cargo build --release --target ${{ matrix.target }} - name: Upload Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: shell-${{ matrix.target }} path: target/${{ matrix.target }}/release/shell @@ -46,10 +46,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Upload to Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: files: | **/shell-x86_64-unknown-linux-gnu diff --git a/.github/workflows/rust-linting.yml b/.github/workflows/rust-linting.yml index bff4715..91958f4 100644 --- a/.github/workflows/rust-linting.yml +++ b/.github/workflows/rust-linting.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 with: toolchain: stable profile: minimal @@ -33,16 +33,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 with: toolchain: stable profile: minimal override: true - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2 - name: Run cargo clippy run: cargo clippy --all-targets --workspace -- -D warnings diff --git a/.github/workflows/rust-tests.yml b/.github/workflows/rust-tests.yml index 729109b..3c9f3c9 100644 --- a/.github/workflows/rust-tests.yml +++ b/.github/workflows/rust-tests.yml @@ -20,16 +20,16 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 with: toolchain: stable profile: minimal override: true - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2 - name: Run tests run: cargo test --workspace --all-targets diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml index d9700b1..c11e0fa 100644 --- a/.github/workflows/typos.yml +++ b/.github/workflows/typos.yml @@ -17,6 +17,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Actions Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Check spelling - uses: crate-ci/typos@master + uses: crate-ci/typos@b48ba0f02b2a623fe5852b679366636e783ada3d # master