[#patch] harden workflows

notdodo · Dec 14, 2024 · e778425 · e778425
1 parent ad165ef
commit e778425
Show file tree

Hide file tree

Showing 10 changed files with 405 additions and 375 deletions.
diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
@@ -72,15 +72,11 @@ jobs:
             api.github.com:443
             github.com:443
             ${{ inputs.egress-policy-allowlist }}
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
+      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
         # v3.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
+      - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
         # v3.7.1
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
@@ -89,7 +85,6 @@ jobs:
           registry: ${{ inputs.registry }}
           username: ${{ secrets.registry-username }}
           password: ${{ secrets.registry-password }}
-
       - name: Extract metadata (tags, labels) for Docker
         id: metadata
         uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96
@@ -99,7 +94,6 @@ jobs:
           tags: ${{ inputs.tags }}
           flavor: ${{ inputs.flavor }}
           labels: ${{ inputs.labels }}
-
       - name: Run Trivy Scan
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
         # v0.29.0
@@ -109,13 +103,11 @@ jobs:
           ignore-unfixed: 1
           output: ${{ inputs.working-directory }}/trivy_results.sarif
           github-pat: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload sarif
+      - name: Upload results
         uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0
         # v2.19.0
         with:
           sarif_file: ${{ inputs.working-directory }}/trivy_results.sarif
-
       - name: Build and push
         id: push
         uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355
@@ -129,7 +121,6 @@ jobs:
           tags: ${{ steps.metadata.outputs.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
       - name: Generate artifact attestation
         if: inputs.push
         uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -11,7 +11,6 @@ on:
         type: string
         default: "ubuntu-latest"
 
-# Comments works only when the workflow is called on `pull_request:`
 jobs:
   gitleaks:
     name: gitleaks
@@ -34,6 +33,7 @@ jobs:
       - name: gitleaks
         uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3
         # v2.3.7
+        # Comments works only when the workflow is called on `pull_request:`
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITLEAKS_VERSION: latest
diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml
@@ -67,6 +67,8 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+            proxy.golang.org:443
+            sum.golang.org:443
             ${{ inputs.egress-policy-allowlist }}
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml
@@ -35,21 +35,18 @@ jobs:
             api.github.com:443
             github.com:443
             ${{ inputs.egress-policy-allowlist }}
-
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
         with:
           fetch-depth: 0
-
       - name: Run Gosec Security Scanner
-        # master to fetch latest checks
         # kics-scan ignore-line
         uses: securego/gosec@master
         with:
           args: "-no-fail -fmt sarif -out ${{ inputs.working-directory }}/results.sarif ${{ inputs.working-directory }}/..."
 
-      - name: Upload SARIF file
+      - name: Upload results
         uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0
         # v2.19.0
         with:

diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml
@@ -40,7 +40,6 @@ jobs:
             packages.wolfi.dev:443
             registry.npmjs.org:443
             ${{ inputs.egress-policy-allowlist }}
-
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
@@ -84,7 +83,6 @@ jobs:
             proxy.golang.org:443
             sum.golang.org:443
             ${{ inputs.egress-policy-allowlist }}
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
         with:
@@ -100,7 +98,6 @@ jobs:
           echo "$FILES" > "$GITHUB_WORKSPACE/files.txt"
           echo "FILES=$FILES" >> $GITHUB_OUTPUT
         shell: bash
-
       - if: steps.find-files.outputs.FILES != ''
         id: scan-files
         continue-on-error: true
@@ -109,7 +106,6 @@ jobs:
           CHECKMAKE_OUTPUT=$(checkmake ${{ steps.find-files.outputs.FILES }} --debug)
           echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT
         shell: bash
-
       - name: PR comment with file
         if: github.event_name == 'pull_request' && steps.scan-files.outputs.CHECKMAKE_OUTPUT != ''
         uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b

diff --git a/.github/workflows/local-docker-bp.yml b/.github/workflows/local-docker-bp.yml
@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-push-docker-image:
-    uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v1
+    uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v0
     with:
       image: notdodo/auto-tagger
       platforms: linux/amd64

diff --git a/.github/workflows/local-python-ci.yml b/.github/workflows/local-python-ci.yml
@@ -24,7 +24,7 @@ jobs:
 
   build-docker-image:
     if: ${{ github.event_name == 'pull_request' }}
-    uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v1
+    uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v-
     with:
       image: notdodo/auto-tagger
       platforms: linux/amd64

diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
@@ -39,7 +39,6 @@ jobs:
             install.python-poetry.org:443
             pypi.org:443
             ${{ inputs.egress-policy-allowlist }}
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
         with:

diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml
@@ -128,7 +128,7 @@ jobs:
           | tee clippy-results.sarif
           | sarif-fmt
         continue-on-error: true
-      - name: Upload analysis results to GitHub
+      - name: Upload results
         uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0
         # v2.19.0
         with: