diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index b7efff71f..f907c452a 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -17,8 +17,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 @@ -114,15 +119,20 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 # Add pipeline tests for Azure Well-Architected Framework. # See https://aka.ms/ps-rule-action for configuration options. - name: Run PSRule analysis - uses: Microsoft/ps-rule@v2 + uses: Microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0 with: modules: PSRule.Rules.Azure baseline: Azure.Preview diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 5820ebd3d..8a1ed6706 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -7,20 +7,31 @@ on: - main workflow_dispatch: {} +permissions: + contents: read + jobs: lint: + permissions: + contents: read # for actions/checkout to fetch code + statuses: write # for github/super-linter to mark status of each linter run name: Lint code base runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Run github/super-linter - uses: github/super-linter@v7 + uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # v7 env: # Lint all code - disabled in as part of #262 VALIDATE_ALL_CODEBASE: false @@ -42,13 +53,18 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: fetch-depth: 0 - name: Check links in markdown files - uses: gaurav-nelson/github-action-markdown-link-check@1.0.15 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 with: config-file: ".github/actions-config/mlc_config.json" use-verbose-mode: "yes" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..7b0990bcf --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 diff --git a/.github/workflows/gh-ado-sync.yml b/.github/workflows/gh-ado-sync.yml index 16e3835b2..5ec1b6081 100644 --- a/.github/workflows/gh-ado-sync.yml +++ b/.github/workflows/gh-ado-sync.yml @@ -13,13 +13,18 @@ jobs: if: github.repository == 'Azure/ALZ-Bicep' steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: GitHub/ADO Sync - uses: a11smiles/GitSync@v1.2.3 + uses: a11smiles/GitSync@74d80b4ef67578135781e76ee1d4add1b98969b1 # v1.2.3 env: ado_token: '${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}' config_file: './.github/actions-config/gh-ado-sync-config.json' diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml index 8653fa4ef..612ab6317 100644 --- a/.github/workflows/pr-title-check.yml +++ b/.github/workflows/pr-title-check.yml @@ -7,11 +7,22 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR Title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/psdocs-mdtogit.yml b/.github/workflows/psdocs-mdtogit.yml index 4c3519e1d..3d0000eec 100644 --- a/.github/workflows/psdocs-mdtogit.yml +++ b/.github/workflows/psdocs-mdtogit.yml @@ -26,8 +26,13 @@ jobs: name: Generate Markdown runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Show env run: env | sort diff --git a/.github/workflows/release-tests.yml b/.github/workflows/release-tests.yml index 5060990b9..acaea5c96 100644 --- a/.github/workflows/release-tests.yml +++ b/.github/workflows/release-tests.yml @@ -12,16 +12,21 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Repo id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: Pester Tests id: pester if: startsWith(github.head_ref, 'release') - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | Import-Module Pester -Force diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ba8bd9fc..70834503b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,12 @@ jobs: name: Generate Accelerator Release Artifacts runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Zip and Tar run: | @@ -28,7 +33,7 @@ jobs: zip -r ../accelerator.zip . - name: Upload Artifacts to Action - uses: actions/upload-artifact@v4.4.0 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: accelerator path: | @@ -36,7 +41,7 @@ jobs: accelerator.zip - name: Add Artifacts to Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 if: startsWith(github.ref, 'refs/tags/') with: files: | diff --git a/.github/workflows/scheduled-bicep-build.yml b/.github/workflows/scheduled-bicep-build.yml index 0c6140f82..526da82d4 100644 --- a/.github/workflows/scheduled-bicep-build.yml +++ b/.github/workflows/scheduled-bicep-build.yml @@ -16,8 +16,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c2eee6cee..f6c2a5987 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/update-policy-china.yml b/.github/workflows/update-policy-china.yml index f9a7cc30c..516801df3 100644 --- a/.github/workflows/update-policy-china.yml +++ b/.github/workflows/update-policy-china.yml @@ -13,6 +13,9 @@ env: pr_title: "feat: Update Policy Library for Azure China (automated)" pr_body: "This is an automated 'pull_request' containing updates to the library templates stored in '/infra-as-code/bicep/modules/policy/definitions/lib/china' & '/infra-as-code/bicep/modules/policy/assignments/lib'.\nPlease review the 'files changed' tab to review changes." +permissions: + contents: read + jobs: update-templates: name: Update Policy Library @@ -22,20 +25,25 @@ jobs: contents: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Local repository checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: path: ${{ github.repository }} fetch-depth: 0 - name: Remote repository checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: ${{ env.remote_repository }} path: ${{ env.remote_repository }} ref: main - - uses: tibdex/github-app-token@v2 + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: app_id: ${{ secrets.APP_ID }} @@ -65,7 +73,7 @@ jobs: GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - name: Update Policy Library - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | Write-Information "==> Running script..." -InformationAction Continue @@ -82,7 +90,7 @@ jobs: Install-Module -Name 'ALZ' -Force - name: Update Policy Definition Bicep Input Files - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | cd ${{ github.workspace }}/${{ github.repository }} diff --git a/.github/workflows/update-policy.yml b/.github/workflows/update-policy.yml index 369a44085..6eb1da2b8 100644 --- a/.github/workflows/update-policy.yml +++ b/.github/workflows/update-policy.yml @@ -13,6 +13,9 @@ env: pr_title: "feat: Update Policy Library (automated)" pr_body: "This is an automated 'pull_request' containing updates to the library templates stored in '/infra-as-code/bicep/modules/policy/definitions/lib' & '/infra-as-code/bicep/modules/policy/assignments/lib'.\nPlease review the 'files changed' tab to review changes." +permissions: + contents: read + jobs: update-templates: name: Update Policy Library @@ -22,20 +25,25 @@ jobs: contents: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Local repository checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: path: ${{ github.repository }} fetch-depth: 0 - name: Remote repository checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: ${{ env.remote_repository }} path: ${{ env.remote_repository }} ref: main - - uses: tibdex/github-app-token@v2 + - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: app_id: ${{ secrets.APP_ID }} @@ -65,7 +73,7 @@ jobs: GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} - name: Update Policy Library - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | Write-Information "==> Running script..." -InformationAction Continue @@ -82,7 +90,7 @@ jobs: Install-Module -Name 'ALZ' -Force - name: Update Policy Definition Bicep Input Files - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | cd ${{ github.workspace }}/${{ github.repository }} diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml index 816cdc6a8..b1dcfe639 100644 --- a/.github/workflows/wiki-sync.yml +++ b/.github/workflows/wiki-sync.yml @@ -15,6 +15,9 @@ env: github_email: "41898282+github-actions[bot]@users.noreply.github.com" github_commit_message: "Wiki Sync from docs/wiki" +permissions: + contents: read + jobs: sync-wiki: name: Sync docs/wiki to Wiki @@ -24,14 +27,19 @@ jobs: contents: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Source Repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: ${{ env.wiki_source_repo }} path: ${{ env.wiki_source_repo }} - name: Checkout Wiki Repo - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: repository: ${{ env.wiki_target_repo }} path: ${{ env.wiki_target_repo }}