Skip to content

Commit

Permalink
chore(ci): Apply security best practices (#181)
Browse files Browse the repository at this point in the history 
Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: StepSecurity Bot <[email protected]>
  • Loading branch information
@gtema @step-security-bot
gtema and step-security-bot authored Apr 26, 2024
1 parent edab9d5 commit adba86b
Show file tree
Hide file tree
Showing 10 changed files with 92 additions and 28 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/audit.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,14 @@ jobs:
continue-on-error: ${{ matrix.checks == 'advisories' }}

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- uses: EmbarkStudios/cargo-deny-action@v1
- uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
with:
command: check ${{ matrix.checks }}
rust-version: stable
5 changes: 5 additions & 0 deletions .github/workflows/cache-clean.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ jobs:
cleanup:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Cleanup
run: |
gh extension install actions/gh-actions-cache
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/committed.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,15 @@ jobs:
runs-on: ubuntu-latest
steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout Actions Repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0

- name: Lint Commits
uses: crate-ci/committed@master
uses: crate-ci/committed@66dc85031ca0f032d54a71a1e9abe15dd2f57741 # master
13 changes: 9 additions & 4 deletions .github/workflows/functional.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,15 @@ jobs:
name: Functional tests on OpenStack ${{ matrix.name }}
steps:

- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Cache
uses: actions/[email protected]
uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
with:
path: |
~/.cargo/bin/
Expand All @@ -45,14 +50,14 @@ jobs:
${{ runner.os }}-
- name: Deploy devstack
uses: EmilienM/[email protected]
uses: EmilienM/devstack-action@e82a9cbead099cba72f99537e82a360c3e319c69 # v0.15
with:
branch: ${{ matrix.openstack_version }}
enabled_services: swift
log_dir: /tmp/devstack-logs

- name: Install Rust
uses: dtolnay/rust-toolchain@stable
uses: dtolnay/rust-toolchain@032431f26ad14217b24e529fa2ab72cf558de38b # stable
with:
toolchain: stable

Expand Down
33 changes: 24 additions & 9 deletions .github/workflows/linters.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,20 @@ jobs:
name: Run rustfmt on the minimum supported toolchain
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Install Rust ${{ env.rust_min }}
uses: dtolnay/rust-toolchain@stable
uses: dtolnay/rust-toolchain@032431f26ad14217b24e529fa2ab72cf558de38b # stable
with:
toolchain: ${{ env.rust_min }}
components: rustfmt

- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3

- name: Run rustfmt
run: cargo fmt -- --check
Expand All @@ -41,18 +46,23 @@ jobs:
security-events: write
steps:

- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Install Rust ${{ env.rust_min }}
uses: dtolnay/rust-toolchain@stable
uses: dtolnay/rust-toolchain@032431f26ad14217b24e529fa2ab72cf558de38b # stable
with:
toolchain: ${{ env.rust_min }}
components: rustfmt, clippy

- name: Install required cargo
run: cargo install clippy-sarif sarif-fmt

- uses: Swatinem/rust-cache@v2
- uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3

- name: Run rust-clippy
run:
Expand All @@ -63,7 +73,7 @@ jobs:
continue-on-error: true

- name: Upload analysis results to GitHub
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
with:
sarif_file: rust-clippy-results.sarif
wait-for-processing: true
Expand All @@ -72,10 +82,15 @@ jobs:
name: Spell Check with Typos
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout Actions Repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Check spelling of file.txt
uses: crate-ci/typos@master
uses: crate-ci/typos@f2c1f08a7b3c1b96050cb786baaa2a94797bdb7d # master
with:
config: _typos.toml
18 changes: 14 additions & 4 deletions .github/workflows/mdbook.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,24 @@ jobs:
env:
MDBOOK_VERSION: 0.4.21
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
- name: Install mdBook
run: |
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh
rustup update
cargo install --version ${MDBOOK_VERSION} mdbook
- name: Setup Pages
id: pages
uses: actions/configure-pages@v4
uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
- name: Build with mdBook
run: mdbook build doc
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./doc/html

Expand All @@ -55,6 +60,11 @@ jobs:
runs-on: ubuntu-latest
needs: build
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
13 changes: 9 additions & 4 deletions .github/workflows/release-plz.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,25 @@ jobs:
steps:
# Generating a GitHub token, so that PRs and tags created by
# the release-plz-action can trigger actions workflows.
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Generate GitHub token
uses: actions/create-github-app-token@v1
uses: actions/create-github-app-token@7bfa3a4717ef143a604ee0a99d859b8886a96d00 # v1.9.3
id: generate-token
with:
app-id: ${{ secrets.APP_ID }} # <-- GitHub App ID secret name
private-key: ${{ secrets.APP_PRIVATE_KEY }} # <-- GitHub App private key secret name
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
with:
fetch-depth: 0
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
uses: dtolnay/rust-toolchain@032431f26ad14217b24e529fa2ab72cf558de38b # stable
- name: Run release-plz
uses: MarcoIeni/[email protected]
uses: MarcoIeni/release-plz-action@a6a23fd7bb7db7cf2912d029703ed80932cf94fa # v0.5.52
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
11 changes: 8 additions & 3 deletions .github/workflows/rust.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,20 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

- name: Install Rust
uses: dtolnay/rust-toolchain@stable
uses: dtolnay/rust-toolchain@032431f26ad14217b24e529fa2ab72cf558de38b # stable
with:
toolchain: stable

- name: Rust Cache
uses: Swatinem/rust-cache@v2
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3

- name: Build
run: cargo build --verbose
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ jobs:
# actions: read

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
Expand Down
4 changes: 4 additions & 0 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,7 @@ repos:
types: [rust]
minimum_pre_commit_version: 2.21.0
require_serial: true
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks

0 comments on commit adba86b

Please sign in to comment.