From 364a06c06ec14d3d7f8fe76c775805d61ccd6cc8 Mon Sep 17 00:00:00 2001 From: Brett Vickers Date: Mon, 15 Jul 2024 21:49:06 -0700 Subject: [PATCH] Github actions: improve security Add CodeQL security analysis of go code. Restrict GITHUB_TOKEN permissions. Pin actions to a SHA. --- .github/workflows/go.yml | 41 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index e446f98..73fbf55 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -2,10 +2,44 @@ name: Go on: [push, pull_request] +permissions: + contents: read + jobs: - build: + analyze: + name: Analyze + runs-on: ubuntu-latest + + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: ["go"] + + steps: + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Initialize CodeQL + uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12 + with: + category: "/language:${{matrix.language}}" + + build: + name: Build runs-on: ubuntu-latest strategy: @@ -13,10 +47,11 @@ jobs: go-version: [ '1.21', '1.22.x' ] steps: - - uses: actions/checkout@v4 + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Go ${{ matrix.go-version }} - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ matrix.go-version }}