chore: address code scanning security concerns (#7)

* chore: restrict permissions for action workflows * chore: add license * chore: add contributing.md * docs: update readme
nwesterhausen · Jan 24, 2024 · 007d772 · 007d772
1 parent 6a78d69
commit 007d772
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 13 deletions.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -9,11 +9,8 @@ on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch: {}
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
  contents: read
- pages: write
- id-token: write
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -71,6 +68,11 @@ jobs:
  name: github-pages
  url: ${{ steps.deployment.outputs.page_url }}
  runs-on: ubuntu-latest
+ # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+ permissions:
+ contents: read
+ pages: write
+ id-token: write
  steps:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
  with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,12 +12,15 @@ env:
  itch_target: nwesterhausen/elementalist
 
 permissions:
- contents: write
+ contents: read
 
 jobs:
  # Build for wasm
  release-wasm:
  runs-on: ubuntu-latest
+ # To upload artifacts, contents write permission is required
+ permissions:
+ contents: write
 
  steps:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -69,6 +72,9 @@ jobs:
  # Build for Linux
  release-linux:
  runs-on: ubuntu-latest
+ # To upload artifacts, contents write permission is required
+ permissions:
+ contents: write
 
  steps:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -121,6 +127,9 @@ jobs:
  # Build for Windows
  release-windows:
  runs-on: windows-latest
+ # To upload artifacts, contents write permission is required
+ permissions:
+ contents: write
 
  steps:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -169,6 +178,9 @@ jobs:
  # Build for MacOS x86_64
  release-macOS-intel:
  runs-on: macOS-latest
+ # To upload artifacts, contents write permission is required
+ permissions:
+ contents: write
 
  steps:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
@@ -219,6 +231,9 @@ jobs:
  # Build for MacOS Apple Silicon
  release-macOS-apple-silicon:
  runs-on: macOS-latest
+ # To upload artifacts, contents write permission is required
+ permissions:
+ contents: write
  env:
  # macOS 11 was the first version to support ARM
  MACOSX_DEPLOYMENT_TARGET: 11

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -2,7 +2,6 @@ name: Build & Test
 
 permissions:
  contents: read
- checks: write
 
 on:
  push:
@@ -13,7 +12,7 @@ on:
 env:
  CARGO_TERM_COLOR: always
 
- # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
  group: rust

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -6,13 +6,13 @@ name: Scorecard supply-chain security
 on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
- branch_protection_rule:
+ branch_protection_rule: {}
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
- - cron: '15 16 * * 2'
+ - cron: 15 16 * * 2
  push:
- branches: ['main']
+ branches: [main]
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -34,12 +34,12 @@ jobs:
  - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
  with:
  egress-policy: audit
- - name: 'Checkout code'
+ - name: Checkout code
  uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
  with:
  persist-credentials: false
 
- - name: 'Run analysis'
+ - name: Run analysis
  uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
  with:
  results_file: results.sarif
@@ -61,15 +61,15 @@ jobs:
 
  # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
  # format to the repository Actions tab.
- - name: 'Upload artifact'
+ - name: Upload artifact
  uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
  with:
  name: SARIF file
  path: results.sarif
  retention-days: 5
 
  # Upload the results to GitHub's code scanning dashboard.
- - name: 'Upload to code-scanning'
+ - name: Upload to code-scanning
  uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
  with:
  sarif_file: results.sarif
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,16 @@
+# Contributing Guidelines
+
+Contributions are welcome as long as they are in the spirit of the game or help improve it.
+
+1. Fork the project
+2. (optional, but desired) Open an Issue for what you are doing
+3. Make a pull request
+4. If the checks pass and code reviewed then it can be merged for the next release (Thanks!)
+
+There are no requirements for having an issue before working on code but that would be considered polite (so if it is your idea, open an issue first).
+
+## Spells, assets, and other "low-code/no-code" contributions
+
+Pull requests welcome that are not code related as well. Please follow same steps as above.
+
+If discussion needs to happen about changes it can be in the pull request or issue connected to the PR.
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Nicholas Westerhausen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -12,3 +12,10 @@
 - [Game Assets](./game_assets) has the raw graphics assets (which get exported to [game/assets](./game/assets/)
 - [Game Data](./game_data) has the data files that create spells (and other things) in the game
 - [Game Library](./game_library) has most of the components and resources used by the game (for ease of testing)
+
+## How to Install / Use
+
+Find the latest release in the [releases](https://github.com/nwesterhausen/elementalist/releases) and download the one appropriate to your platform. Unzip and run the game!
+
+Because the game loads assets and data, the archives contain the appropriate directories already (note on MacOS it is hidden inside the .app file). Without the `game_data`
+directory, no spells will be loaded, which will make the game unplayable.