From b1016d5aebba8af001c852149b62146a4bf576bd Mon Sep 17 00:00:00 2001 From: Step Security Date: Thu, 6 Oct 2022 16:26:16 +0000 Subject: [PATCH 1/5] [StepSecurity] ci: Harden GitHub Actions in release.yml --- .github/workflows/release.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bbabd794e..24cdb8070 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,13 +7,19 @@ on: branches: - main name: Run Release Please +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: release-please: + permissions: + contents: write # for google-github-actions/release-please-action to create release commit + pull-requests: write # for google-github-actions/release-please-action to create release PR runs-on: ubuntu-latest # Release-please creates a PR that tracks all changes steps: - - uses: google-github-actions/release-please-action@v3 + - uses: google-github-actions/release-please-action@069d7229d7b10308de85bc606a91e0033e259c8e id: release with: command: manifest @@ -23,10 +29,10 @@ jobs: # These steps are only run if this was a merged release-please PR - name: checkout if: ${{ steps.release.outputs.releases_created }} - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Set up JDK 8 if: ${{ steps.release.outputs.releases_created }} - uses: actions/setup-java@v3 + uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d with: java-version: '8' distribution: 'temurin' From 2e3f25787827146bce41349c5c27b3bb8b0a789f Mon Sep 17 00:00:00 2001 From: Step Security Date: Thu, 6 Oct 2022 16:26:17 +0000 Subject: [PATCH 2/5] [StepSecurity] ci: Harden GitHub Actions in static-code-scanning.yaml --- .github/workflows/static-code-scanning.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/static-code-scanning.yaml b/.github/workflows/static-code-scanning.yaml index 4cc4b6b35..1c12fc531 100644 --- a/.github/workflows/static-code-scanning.yaml +++ b/.github/workflows/static-code-scanning.yaml @@ -15,6 +15,9 @@ on: # * * * * * - cron: '30 1 * * 1' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: CodeQL-Build: # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest @@ -26,16 +29,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 with: languages: java - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 From 740d33f2e687ace3e159961d3778ff65967d1a80 Mon Sep 17 00:00:00 2001 From: Step Security Date: Thu, 6 Oct 2022 16:26:18 +0000 Subject: [PATCH 3/5] [StepSecurity] ci: Harden GitHub Actions in lint-pr.yml --- .github/workflows/lint-pr.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml index 376bf574e..0433b4e4e 100644 --- a/.github/workflows/lint-pr.yml +++ b/.github/workflows/lint-pr.yml @@ -7,11 +7,17 @@ on: - edited - synchronize +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v4 + - uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e33743fb83da11ea89da56911836beb7fca3f750 Mon Sep 17 00:00:00 2001 From: Step Security Date: Thu, 6 Oct 2022 16:26:19 +0000 Subject: [PATCH 4/5] [StepSecurity] ci: Harden GitHub Actions in merge.yml --- .github/workflows/merge.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 302f788cf..4bf50eaa8 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -22,9 +22,9 @@ jobs: packages: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Set up JDK 8 - uses: actions/setup-java@v3 + uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d with: java-version: '8' distribution: 'temurin' @@ -34,7 +34,7 @@ jobs: server-password: ${{ secrets.OSSRH_PASSWORD }} - name: Cache local Maven repository - uses: actions/cache@v3 + uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -51,7 +51,7 @@ jobs: run: mvn --batch-mode --update-snapshots verify - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 with: flags: unittests # optional name: coverage # optional From ce57545c790bd6c345051d690baa188e9c5cf974 Mon Sep 17 00:00:00 2001 From: Step Security Date: Thu, 6 Oct 2022 16:26:20 +0000 Subject: [PATCH 5/5] [StepSecurity] ci: Harden GitHub Actions in pullrequest.yml --- .github/workflows/pullrequest.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml index a1df30c75..127798c23 100644 --- a/.github/workflows/pullrequest.yml +++ b/.github/workflows/pullrequest.yml @@ -18,22 +18,22 @@ jobs: packages: write steps: - name: Check out the code - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Set up JDK 8 - uses: actions/setup-java@v3 + uses: actions/setup-java@a18c333f3f14249953dab3e186e5e21bf3390f1d with: java-version: '8' distribution: 'temurin' cache: maven - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 with: languages: java - name: Cache local Maven repository - uses: actions/cache@v3 + uses: actions/cache@56461b9eb0f8438fd15c7a9968e3c9ebb18ceff1 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -44,7 +44,7 @@ jobs: run: mvn --batch-mode --update-snapshots verify # -P integration-test - add this back once we have a compatible flagd - name: Upload coverage to Codecov - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 with: flags: unittests # optional name: coverage # optional @@ -52,4 +52,4 @@ jobs: verbose: true # optional (default = false) - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44