Skip to content

Commit

Permalink
Merge pull request #170 from step-security-bot/stepsecurity_remediati…
Browse files Browse the repository at this point in the history 
…on_1712289640

[StepSecurity] Apply security best practices
  • Loading branch information
@scott-wilson
scott-wilson authored Apr 5, 2024
2 parents 1556bfd + c1f1c45 commit d3747f5
Show file tree
Hide file tree
Showing 12 changed files with 173 additions and 54 deletions.
18 changes: 13 additions & 5 deletions .github/workflows/codeql_c.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ on:
schedule:
- cron: "0 0 * * 1"

permissions:
contents: read

jobs:
analyze_c:
name: Analyze C
Expand All @@ -49,20 +52,25 @@ jobs:
security-events: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
languages: cpp

# Build C Project
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- name: Make Build Directory
run: mkdir -p build
- name: CMake Configure
Expand All @@ -77,6 +85,6 @@ jobs:
# Run the analysis
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
category: "/language:cpp"
18 changes: 13 additions & 5 deletions .github/workflows/codeql_cpp.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ on:
schedule:
- cron: "0 0 * * 1"

permissions:
contents: read

jobs:
analyze_cpp:
name: Analyze C++
Expand All @@ -49,20 +52,25 @@ jobs:
security-events: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
languages: cpp

# Build C++ Project
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- name: Make Build Directory
run: mkdir -p build
- name: CMake Configure
Expand All @@ -77,6 +85,6 @@ jobs:
# Run the analysis
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
category: "/language:cpp"
16 changes: 12 additions & 4 deletions .github/workflows/codeql_python.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ on:
schedule:
- cron: "0 0 * * 1"

permissions:
contents: read

jobs:
analyze:
name: Analyze Python
Expand All @@ -59,21 +62,26 @@ jobs:
security-events: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
languages: python

# Build Python Project
- name: Setup Python ${{matrix.python-version}}
id: setup-python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: ${{matrix.python-version}}
cache: 'pip'
Expand All @@ -86,6 +94,6 @@ jobs:

# Run the analysis
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
category: "/language:python"
7 changes: 6 additions & 1 deletion .github/workflows/dependabot_reviewer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,14 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2
uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef # v2.0.0
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --merge "$PR_URL"
env:
Expand Down
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
52 changes: 36 additions & 16 deletions .github/workflows/rust-audit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,46 +9,66 @@ jobs:
name: Audit Rust
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
audit_c:
name: Audit C
runs-on: ubuntu-latest
defaults:
run:
working-directory: bindings/c
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
audit_cpp:
name: Audit C++
runs-on: ubuntu-latest
defaults:
run:
working-directory: bindings/cpp
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
audit_python:
name: Audit Python
runs-on: ubuntu-latest
defaults:
run:
working-directory: bindings/python
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: EmbarkStudios/cargo-deny-action@v1
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
5 changes: 5 additions & 0 deletions .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ jobs:
# actions: read

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
Expand Down
17 changes: 11 additions & 6 deletions .github/workflows/test_suite_c.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,19 +38,24 @@ jobs:
cmake_flags: -DBUILD_WITH_CHECK_COVERAGE=ON
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- name: Install cargo-llvm-cov
uses: taiki-e/install-action@cargo-llvm-cov
uses: taiki-e/install-action@6ec01d6033d5f6e87d04fc92d55eaa5b132b1ad4 # cargo-llvm-cov
- name: Run Cargo Clippy
run: cargo clippy
- name: Run Cargo Fmt
run: cargo fmt --check
- name: Run Cargo Deny
uses: EmbarkStudios/cargo-deny-action@v1
uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
if: ${{ matrix.os == 'ubuntu-latest' }}
- name: Generate coverage report from Rust tests
run: cargo llvm-cov --all-features --lcov --output-path lcov.info
Expand Down Expand Up @@ -86,7 +91,7 @@ jobs:
sudo apt update
sudo apt install -y lcov
lcov -c -d . -o coverage.info
- uses: codecov/codecov-action@v4
- uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
with:
flags: lang-c
files: build/coverage.info
13 changes: 9 additions & 4 deletions .github/workflows/test_suite_cpp.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,16 @@ jobs:
cmake_flags: -DBUILD_WITH_CHECK_COVERAGE=ON
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- name: Make Build Directory
run: mkdir -p build
- name: CMake Configure
Expand Down Expand Up @@ -75,7 +80,7 @@ jobs:
sudo apt update
sudo apt install -y lcov
lcov -c -d . -o coverage.info
- uses: codecov/codecov-action@v4
- uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
with:
flags: lang-cpp
files: build/coverage.info
19 changes: 12 additions & 7 deletions .github/workflows/test_suite_python.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,26 +44,31 @@ jobs:
- "3" # Latest version
runs-on: ${{matrix.os}}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: recursive
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
- uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
- name: Run Cargo Clippy
run: cargo clippy
- name: Run Cargo Fmt
run: cargo fmt --check
- name: Run Cargo Deny
uses: EmbarkStudios/cargo-deny-action@v1
uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2
if: ${{ matrix.os == 'ubuntu-latest' }}
- name: Setup Python ${{matrix.python-version}}
id: setup-python
uses: actions/setup-python@v5
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: ${{matrix.python-version}}
cache: 'pip'
- name: Cache virtualenv
uses: actions/cache@v4
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version}}-${{ hashFiles('pyproject.toml') }}
path: .venv
Expand All @@ -85,7 +90,7 @@ jobs:
run: |
python -m ruff format --check .
- name: Build Rust
uses: PyO3/maturin-action@v1
uses: PyO3/maturin-action@6c040287d49afcbdb94da54484e3e17051e60e53 # v1.42.0
with:
command: develop
sccache: 'true'
Expand Down
Loading

0 comments on commit d3747f5

Please sign in to comment.