Skip to content

Commit

Permalink
[StepSecurity] Apply security best practices (#238)
Browse files Browse the repository at this point in the history
  • Loading branch information
step-security-bot authored Jan 26, 2025
1 parent 42bcc57 commit 6699412
Show file tree
Hide file tree
Showing 8 changed files with 118 additions and 31 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/bench.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,14 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Restore dependencies
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/comparison-bench.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,17 +22,22 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Get all history to allow automatic versioning using MinVer
- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Comparison Bench
shell: pwsh
run: ./comparison-bench.ps1
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: benchmarks-${{ matrix.os }}
if-no-files-found: error
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: "Dependency Review"
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- name: "Checkout Repository"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "Dependency Review"
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
65 changes: 45 additions & 20 deletions .github/workflows/dotnet.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,19 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET (old versions)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
dotnet-version: |
8.0.x
- name: Setup .NET (global.json)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Restore dependencies
Expand All @@ -47,12 +52,12 @@ jobs:
- name: Test
run: dotnet test -c ${{ matrix.configuration }} --no-build --verbosity normal --collect:"XPlat Code Coverage"
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
flags: ${{ matrix.os }}
token: ${{ secrets.CODECOV_TOKEN }}
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v5
uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
with:
flags: ${{ matrix.configuration }}
token: ${{ secrets.CODECOV_TOKEN }}
Expand All @@ -65,9 +70,14 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Format verify no changes
Expand All @@ -81,14 +91,19 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup .NET (old versions)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
dotnet-version: |
8.0.x
- name: Setup .NET (global.json)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Restore dependencies
Expand All @@ -100,20 +115,25 @@ jobs:
pack:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Get all history to allow automatic versioning using MinVer
- name: Create tag (to set version of nuget package)
if: ${{ github.event.inputs.version != '' && github.actor == 'nietras' }}
run: |
git tag v${{ github.event.inputs.version }}
- name: Setup .NET (old versions)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
dotnet-version: |
8.0.x
- name: Setup .NET (global.json)
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
# No need to define min ver version globally now since only uploading release
Expand All @@ -133,7 +153,7 @@ jobs:
run: dotnet pack -c Release --output ${{ env.NuGetDirectory }}
- name: Get version of dll
run: (Get-Item ./artifacts/bin/Sep/release_net8.0/Sep.dll).VersionInfo.ProductVersion
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: nuget
if-no-files-found: error
Expand All @@ -148,15 +168,20 @@ jobs:
if: ${{ github.event.inputs.version != '' && github.actor == 'nietras' }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download nuget packages
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: nuget
path: ${{ env.NuGetDirectory }}
- name: Create release
id: create_release
uses: actions/create-release@v1
uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand All @@ -168,7 +193,7 @@ jobs:
git tag v${{ github.event.inputs.version }}
git push origin v${{ github.event.inputs.version }}
- name: Upload nupkg package
uses: actions/upload-release-asset@v1
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand All @@ -177,7 +202,7 @@ jobs:
asset_name: Sep.${{ github.event.inputs.version }}.nupkg
asset_content_type: application/zip
- name: Upload snupkg package
uses: actions/upload-release-asset@v1
uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand All @@ -186,7 +211,7 @@ jobs:
asset_name: Sep.${{ github.event.inputs.version }}.snupkg
asset_content_type: application/zip
- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Push nupkg package
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/nativeaot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,22 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Get all history to allow automatic versioning using MinVer
- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
with:
global-json-file: global.json
- name: Publish Tester
shell: pwsh
run: ./publish-tester.ps1
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: artifacts-${{ matrix.os }}
if-no-files-found: error
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ jobs:
# actions: read

steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v4.1.1
with:
Expand Down Expand Up @@ -68,6 +73,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
with:
sarif_file: results.sarif
9 changes: 7 additions & 2 deletions .github/workflows/super-linter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,20 @@ jobs:
statuses: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# super-linter needs the full git history to get the
# list of files that changed across commits
fetch-depth: 0

- name: Super-linter
uses: super-linter/[email protected] # x-release-please-version
uses: super-linter/super-linter@85f7611e0f7b53c8573cca84aa0ed4344f6f6a4d # v7.2.1
env:
# dotnet format not working, checked during build instead
VALIDATE_CSHARP: false
Expand Down
10 changes: 10 additions & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace

0 comments on commit 6699412

Please sign in to comment.