diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 56942216..19c03faf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,4 +15,9 @@ updates: directory: "/" schedule: # Check for updates to GitHub Actions every week - interval: "weekly" \ No newline at end of file + interval: "weekly" + + - package-ecosystem: docker + directory: /container + schedule: + interval: daily diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index f42f0e1a..1290fbae 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -14,10 +14,15 @@ jobs: continue-on-error: ${{ matrix.checks == 'sources' }} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - run: bash sh_script/preparation.sh - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: EmbarkStudios/cargo-deny-action@68cd9c5e3e16328a430a37c743167572e3243e7e # v1.5.15 with: command: check ${{ matrix.checks }} \ No newline at end of file diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 0eba4253..db6dfb78 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -12,23 +12,28 @@ jobs: name: Clippy runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive # Install first since it's needed to build NASM - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@v1 + uses: KyleMayes/install-llvm-action@1a3da29f56261a1e1f937ec88f0856a9b8321d7e # v1 with: version: "10.0" directory: ${{ runner.temp }}/llvm - name: install NASM - uses: ilammy/setup-nasm@v1 + uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 # v1.5.1 - name: Install toolchain with clippy available - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal toolchain: nightly-2023-12-31 @@ -47,22 +52,27 @@ jobs: steps: # Install first since it's needed to build NASM + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@v1 + uses: KyleMayes/install-llvm-action@1a3da29f56261a1e1f937ec88f0856a9b8321d7e # v1 with: version: "10.0" directory: ${{ runner.temp }}/llvm - name: install NASM - uses: ilammy/setup-nasm@v1 + uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 # v1.5.1 - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - name: Install toolchain with rustfmt available - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal toolchain: nightly-2023-12-31 @@ -73,12 +83,12 @@ jobs: run: bash sh_script/preparation.sh - name: Run cargo check - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: check - name: Run cargo fmt - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: fmt args: -- --check \ No newline at end of file diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index 646f4b9d..447a8e1a 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -17,6 +17,9 @@ env: TOOLCHAIN_PROFILE: minimal AFL_NO_AFFINITY: 1 +permissions: + contents: read + jobs: test: name: Fuzzing Test @@ -27,10 +30,15 @@ jobs: timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: nightly-2023-12-31 profile: minimal @@ -38,22 +46,22 @@ jobs: components: rust-src, llvm-tools-preview - name: Run cargo install cargo-xbuild - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: install args: cargo-xbuild - name: install NASM - uses: ilammy/setup-nasm@v1 + uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 # v1.5.1 - name: Install AFL - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: install args: cargo-afl - name: Install Cargo-Fuzz - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: install args: cargo-fuzz diff --git a/.github/workflows/integration-tdx.yml b/.github/workflows/integration-tdx.yml index 4191f3c0..a3d187a6 100644 --- a/.github/workflows/integration-tdx.yml +++ b/.github/workflows/integration-tdx.yml @@ -14,6 +14,9 @@ env: RUST_TOOLCHAIN: nightly-2023-12-31 TOOLCHAIN_PROFILE: minimal +permissions: + contents: read + jobs: virtio_vsock: name: Run TDX Integration Test (virtio-vsock) @@ -33,12 +36,17 @@ jobs: # - name: Install tools for sgx lib # run: sudo dnf group install 'Development Tools' | sudo dnf --enablerepo=powertools install ocaml ocaml-ocamlbuild wget rpm-build pkgcon + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Clean test repository run: | sudo rm -rf sh_script/test/ - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive @@ -74,12 +82,17 @@ jobs: runs-on: [self-hosted, tdx] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Clean test repository run: | sudo rm -rf sh_script/test/ - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive diff --git a/.github/workflows/library.yml b/.github/workflows/library.yml index 69297c22..13d03d85 100644 --- a/.github/workflows/library.yml +++ b/.github/workflows/library.yml @@ -24,27 +24,32 @@ jobs: steps: # Install first since it's needed to build NASM + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@v1 + uses: KyleMayes/install-llvm-action@1a3da29f56261a1e1f937ec88f0856a9b8321d7e # v1 with: version: "10.0" directory: ${{ runner.temp }}/llvm - name: install NASM - uses: ilammy/setup-nasm@v1 + uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 # v1.5.1 - name: Install tools for sgx lib run: sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl - name: Install nightly toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: ${{ env.TOOLCHAIN_PROFILE }} toolchain: ${{ env.NIGHTLY_RUST_TOOLCHAIN }} override: true - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 213162dc..ab05a5a3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -22,25 +22,30 @@ jobs: steps: # Install first since it's needed to build NASM + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install LLVM and Clang - uses: KyleMayes/install-llvm-action@v1 + uses: KyleMayes/install-llvm-action@1a3da29f56261a1e1f937ec88f0856a9b8321d7e # v1 with: version: "10.0" directory: ${{ runner.temp }}/llvm - name: Install NASM - uses: ilammy/setup-nasm@v1 + uses: ilammy/setup-nasm@13cbeb366c45c4379d3478cdcbadd8295feb5028 # v1.5.1 - name: Install tools for sgx lib run: sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 libssl-dev git cmake perl - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - name: Install toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: ${{ env.TOOLCHAIN_PROFILE }} toolchain: ${{ env.RUST_TOOLCHAIN }} @@ -48,7 +53,7 @@ jobs: components: rust-src - name: Run cargo install cargo-xbuild - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: install args: cargo-xbuild diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a595bc76..0c64ddc5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: