diff --git a/.github/workflows/automatePR.yml b/.github/workflows/automatePR.yml index 3f7d2b00b..62ad28d51 100644 --- a/.github/workflows/automatePR.yml +++ b/.github/workflows/automatePR.yml @@ -17,11 +17,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: repository: step-security/secure-repo diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml deleted file mode 100644 index cc70c82ed..000000000 --- a/.github/workflows/code-review.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: Code Review -on: - pull_request: -permissions: - contents: read -jobs: - code-review: - runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - int.api.stepsecurity.io:443 - - - name: Code Review - uses: step-security/ai-codewise@int diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dc85a5fa3..32fc2e5f2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,16 +41,16 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 + uses: github/codeql-action/init@bc02a25f6449997c5e9d5a368879b28f56ae19a1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -63,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 + uses: github/codeql-action/autobuild@bc02a25f6449997c5e9d5a368879b28f56ae19a1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -76,6 +76,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 + uses: github/codeql-action/analyze@bc02a25f6449997c5e9d5a368879b28f56ae19a1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index a5c975123..2562cfc57 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -12,33 +12,51 @@ jobs: publish-test: permissions: contents: read + id-token: write runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: 1.17 - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_INT }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_INT }} - aws-region: us-west-2 - run: go test ./... -coverpkg=./... env: PAT: ${{ secrets.PAT }} + - uses: step-security/wait-for-secrets@084b3ae774c0e0003a9307ae4f487c10f1f998fe + id: wait-for-secrets + with: + slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} + secrets: | + AWS_ACCESS_KEY_ID_INT: + name: 'AWS access key id' + description: 'Access key id for secure-repo int' + AWS_SECRET_ACCESS_KEY_INT: + name: 'AWS secret access key' + description: 'Secret access key for secure-repo int' + AWS_SESSION_TOKEN_INT: + name: 'AWS session token' + description: 'Session token for secure-repo int' + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df + with: + aws-access-key-id: ${{ steps.wait-for-secrets.outputs.AWS_ACCESS_KEY_ID_INT }} + aws-secret-access-key: ${{ steps.wait-for-secrets.outputs.AWS_SECRET_ACCESS_KEY_INT }} + aws-session-token: ${{ steps.wait-for-secrets.outputs.AWS_SESSION_TOKEN_INT }} + aws-region: us-west-2 + - name: Deploy to AWS CloudFormation - uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4 + uses: aws-actions/aws-cloudformation-github-deploy@33527b83bddcf6b3f0b135d9550bde8475325c73 with: name: secure-workflow-api-ecr template: cloudformation/ecr.yml @@ -47,7 +65,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2 + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 - name: Build, tag, and push image to Amazon ECR env: @@ -59,7 +77,7 @@ jobs: docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - name: Deploy to AWS CloudFormation - uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4 + uses: aws-actions/aws-cloudformation-github-deploy@33527b83bddcf6b3f0b135d9550bde8475325c73 with: name: secure-workflow-api template: cloudformation/resources.yml diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml index 2ba765278..3f2f6c84b 100644 --- a/.github/workflows/kb-test.yml +++ b/.github/workflows/kb-test.yml @@ -14,7 +14,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: allowed-endpoints: > api.github.com:443 @@ -25,11 +25,11 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: 1.17 - name: Run coverage diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml index 7fcbd6221..90491fac6 100644 --- a/.github/workflows/kbanalysis.yml +++ b/.github/workflows/kbanalysis.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: repository: step-security/secure-repo diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 612258ea0..7b4af1bec 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,15 +17,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: 1.17 @@ -33,7 +33,7 @@ jobs: env: PAT: ${{ secrets.PAT }} - - uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef + - uses: step-security/wait-for-secrets@084b3ae774c0e0003a9307ae4f487c10f1f998fe id: wait-for-secrets with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} @@ -49,7 +49,7 @@ jobs: description: 'Session token for secure-repo prod' - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e + uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df with: aws-access-key-id: ${{ steps.wait-for-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ steps.wait-for-secrets.outputs.AWS_SECRET_ACCESS_KEY }} @@ -57,7 +57,7 @@ jobs: aws-region: us-west-2 - name: Deploy to AWS CloudFormation - uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4 + uses: aws-actions/aws-cloudformation-github-deploy@33527b83bddcf6b3f0b135d9550bde8475325c73 with: name: secure-workflow-api-ecr template: cloudformation/ecr.yml @@ -66,7 +66,7 @@ jobs: - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2 + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 - name: Build, tag, and push image to Amazon ECR env: @@ -78,7 +78,7 @@ jobs: docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - name: Deploy to AWS CloudFormation - uses: aws-actions/aws-cloudformation-github-deploy@72bea2c93ca6be253b71b5966ecde13f9e8af2d4 + uses: aws-actions/aws-cloudformation-github-deploy@33527b83bddcf6b3f0b135d9550bde8475325c73 with: name: secure-workflow-api template: cloudformation/resources.yml diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 77d93859a..0b9c84561 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,17 +32,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@bc02a25f6449997c5e9d5a368879b28f56ae19a1 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5f5d9702d..e2312af78 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,7 +16,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 with: egress-policy: audit allowed-endpoints: > @@ -31,17 +31,17 @@ jobs: objects.githubusercontent.com:443 golang.org:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: ref: ${{ github.event.pull_request.head.sha }} - name: Set up Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 with: go-version: 1.17 - name: Run coverage run: go test ./... -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic env: PAT: ${{ secrets.GITHUB_TOKEN }} - - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 with: token: ${{ secrets.CODECOV_TOKEN }}