[StepSecurity] Apply security best practices (#65)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Signed-off-by: Tyler Titsworth <tyler.titsworth@intel.com>
Co-authored-by: Tyler Titsworth <titswortht@gmail.com>
Co-authored-by: Tyler Titsworth <tyler.titsworth@intel.com>

Author: 3 people

.github/dependabot.yml

@@ -71,3 +71,43 @@ updates:
     package-ecosystem: pip
     schedule:
       interval: weekly
+
+  - package-ecosystem: docker
+    directory: /classical-ml
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /preset/classical-ml
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /preset/data-analytics
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /preset/deep-learning
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /preset/inference-optimization
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /python
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /pytorch
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /tensorflow
+    schedule:
+      interval: weekly

.github/workflows/chart-ci.yaml

@@ -27,17 +27,22 @@ jobs:
   helm-ci:
     runs-on: kubectl
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
         # ref: "refs/pull/${{ github.event.number }}/merge"
-    - uses: azure/setup-kubectl@v4
-    - uses: azure/setup-helm@v4.2.0
-    - uses: actions/setup-python@v5
+    - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
+    - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+    - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: 3.x
     - name: Setup chart-testing
-      uses: helm/chart-testing-action@v2.6.1
+      uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
     - name: Get chart diff
       id: changed
       run: |

.github/workflows/container-ci.yaml

@@ -38,6 +38,7 @@ on:
       ref:
         description: 'Enter Git Ref:'
         required: true
+        default: 'main'
         type: string
       runner_label:
         description: 'Enter Validation Runner Label:'
@@ -82,7 +83,11 @@ jobs:
       matrix: ${{ steps.build-matrix.outputs.matrix }}
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.ref }}
     - name: Set Matrix
@@ -101,11 +106,11 @@ jobs:
     outputs:
       group: ${{ steps.build-group.outputs.container-group }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.ref }}
       if: ${{ !inputs.no_build }}
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
@@ -114,7 +119,7 @@ jobs:
     - name: Build Container Group
       if: ${{ !inputs.no_build }}
       id: build-group
-      uses: intel/ai-containers/.github@main
+      uses: intel/ai-containers/.github@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
       with:
         group_dir: ${{ inputs.group_dir }}
         env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }}
@@ -131,7 +136,11 @@ jobs:
     outputs:
       matrix: ${{ steps.scan-matrix.outputs.matrix }}
     steps:
-    - uses: actions/download-artifact@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         path: matrix
     - name: Set Matrix
@@ -146,25 +155,25 @@ jobs:
         container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }}
       fail-fast: false
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.ref }}
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
         password: ${{ secrets.REGISTRY_TOKEN }}
     - name: Pull Image
       run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
     - name: Scan Container
-      uses: intel/ai-containers/.github/scan@main
+      uses: intel/ai-containers/.github/scan@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
       with:
         image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
         output: ${{ matrix.container }}-scan.sarif
     - name: Cleanup
       if: always()
       run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
-    - uses: github/codeql-action/upload-sarif@v3
+    - uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
       with:
         sarif_file: '${{ matrix.container }}-scan.sarif'
         ####################################################################################################
@@ -176,7 +185,11 @@ jobs:
     outputs:
       matrix: ${{ steps.test-matrix.outputs.matrix }}
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.ref }}
     - name: Get Recipes
@@ -192,19 +205,19 @@ jobs:
         experimental: [true]
       fail-fast: false
     steps:
-    - uses: step-security/harden-runner@v2
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
       with:
         egress-policy: audit
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         ref: ${{ inputs.ref }}
-    - uses: docker/login-action@v3
+    - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
       with:
         registry: ${{ secrets.REGISTRY }}
         username: ${{ secrets.REGISTRY_USER }}
         password: ${{ secrets.REGISTRY_TOKEN }}
     - name: Test Container Group
-      uses: intel/ai-containers/test-runner@main
+      uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
       with:
         cache_registry: ${{ secrets.CACHE_REGISTRY }}
         recipe_dir: ${{ inputs.group_dir }}

.github/workflows/dependency-review.yaml

@@ -21,7 +21,10 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 name: 'Dependency Review'
-on: [pull_request]
+on:
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+    branches: [main]
 permissions:
   contents: read
 concurrency:
@@ -32,7 +35,11 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/dependency-review-action@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
       with:
         comment-summary-in-pr: true

.github/workflows/dockerhub-description.yml

@@ -23,7 +23,12 @@ jobs:
     outputs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
     - name: Set matrix data
       id: set-matrix
       run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT
@@ -34,8 +39,13 @@ jobs:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
       fail-fast: false
     steps:
-    - uses: actions/checkout@v4
-    - uses: peter-evans/dockerhub-description@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/docs.yaml

@@ -30,17 +30,21 @@ jobs:
       id-token: write
       pages: write
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+    - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
       with:
         python-version: 3.8
         cache: pip
     - name: Install python requirements
       run: python -m pip install -r docs/requirements.txt
     - name: Build
       run: mkdocs build --clean
-    - uses: actions/upload-pages-artifact@v3
+    - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
       with:
         path: site
     - if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
-      uses: actions/deploy-pages@v4
+      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/gitleaks.yaml

@@ -24,11 +24,15 @@ jobs:
     name: gitleaks
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
         ref: "refs/pull/${{ github.event.number }}/merge"
-    - uses: gitleaks/gitleaks-action@v2
+    - uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6
       env:
         GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
         GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}

.github/workflows/integration-test.yaml

@@ -28,7 +28,11 @@ jobs:
     outputs:
       groups: ${{ steps.group-list.outputs.FOLDERS }}
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
         ref: "refs/pull/${{ github.event.number }}/merge"
@@ -75,6 +79,10 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
     - run: exit 1
       if: >-
         ${{

.github/workflows/lint.yaml

@@ -27,11 +27,15 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
         ref: "refs/pull/${{ github.event.number }}/merge"
-    - uses: super-linter/super-linter/slim@v6.5.1
+    - uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1
       env:
         # To report GitHub Actions status checks
         GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}

.github/workflows/scorecard.yaml

@@ -35,20 +35,25 @@ jobs:
       contents: read
       actions: read
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         persist-credentials: false
-    - uses: ossf/scorecard-action@v2.3.3
+    - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
       with:
         results_file: results.sarif
         results_format: sarif
         repo_token: ${{ secrets.ACTION_TOKEN }}
         publish_results: true
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@v3.25.3
+    - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
       with:
         sarif_file: results.sarif