From 544ee3e3be3b16793d8ab509d4e894a0eb51f010 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 3 Mar 2023 14:34:34 +0000 Subject: [PATCH 1/4] - Apply security best practices --- .github/dependabot.yml | 86 ++++++++++++++++++ .github/workflows/branch-delete-cleanup.yml | 14 ++- .github/workflows/build.yml | 32 +++++-- .github/workflows/ci-tests-n-coverage.yml | 38 +++++--- .github/workflows/codeql.yml | 78 ++++++++++++++++ .github/workflows/dependency-review.yml | 25 ++++++ .github/workflows/gh-pages.yml | 18 ++-- .github/workflows/js_wallet_publish.yml | 20 +++-- .github/workflows/mdlint-changed.yml | 11 ++- .github/workflows/nix.yml | 34 +++++-- .github/workflows/rust.yml | 90 +++++++++++++------ .github/workflows/scorecards-analysis.yml | 5 ++ .github/workflows/title-validation.yaml | 5 ++ src/jormungandr/ci/docker/Dockerfile | 2 +- src/jormungandr/docker/Dockerfile | 2 +- src/jormungandr/docker/alpine/Dockerfile | 2 +- .../docker/master/Dockerfile | 2 +- .../docker/soak_tests/Dockerfile | 2 +- .../snapshot-service-wormhole/Dockerfile | 2 +- .../docker/snapshot-service/Dockerfile | 2 +- src/vit-testing/docker/vitup/demo/Dockerfile | 2 +- src/vit-testing/docker/vitup/mock/Dockerfile | 2 +- 22 files changed, 401 insertions(+), 73 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..27fdf3f30e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,86 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: cargo + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /src/catalyst-toolbox/catalyst-toolbox/scripts/python + schedule: + interval: daily + + - package-ecosystem: npm + directory: /src/chain-wallet-libs/bindings/wallet-cordova + schedule: + interval: daily + + - package-ecosystem: npm + directory: /src/chain-wallet-libs/bindings/wallet-cordova/tests + schedule: + interval: daily + + - package-ecosystem: npm + directory: /src/chain-wallet-libs/bindings/wallet-wasm-js/js-test + schedule: + interval: daily + + - package-ecosystem: npm + directory: /src/chain-wallet-libs/bindings/wallet-wasm-js/js + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/jormungandr/ci/docker + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/jormungandr/docker + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/jormungandr/docker/alpine + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-servicing-station/docker/master + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-servicing-station/docker/soak_tests + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-testing/docker/snapshot-service-wormhole + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-testing/docker/snapshot-service + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-testing/docker/vitup/demo + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/vit-testing/docker/vitup/mock + schedule: + interval: daily + + - package-ecosystem: pip + directory: /utilities/ideascale-importer + schedule: + interval: daily diff --git a/.github/workflows/branch-delete-cleanup.yml b/.github/workflows/branch-delete-cleanup.yml index 24f57a975a..98a710de37 100644 --- a/.github/workflows/branch-delete-cleanup.yml +++ b/.github/workflows/branch-delete-cleanup.yml @@ -1,12 +1,22 @@ name: Branch Deleted on: delete +permissions: + contents: read + jobs: delete: + permissions: + contents: write # for stefanzweifel/git-auto-commit-action to push code in repo name: On branch deleted if: github.event.ref_type == 'branch' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Set env run: | GIT_BRANCH=$(echo ${{ github.event.ref }} | sed -e "s#refs/heads/##g") @@ -18,7 +28,7 @@ jobs: echo "Clean up for branch ${{ env.GIT_BRANCH }}" - name: Get current published documentation - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: gh-pages @@ -27,6 +37,6 @@ jobs: rm -rf ${{ env.GIT_BRANCH }} - name: Save updated docs - uses: stefanzweifel/git-auto-commit-action@v4 + uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a # v4.16.0 with: commit_message: Removed Draft Docs for ${{ env.GIT_BRANCH }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3b1cfe0139..a743dacb03 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,13 +31,23 @@ env: SEGMENT_DOWNLOAD_TIMEOUT_MINS: 15 +permissions: + contents: read + jobs: cancel: + permissions: + actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows name: 'Cancel Previous Runs' runs-on: ubuntu-latest timeout-minutes: 3 steps: - - uses: styfle/cancel-workflow-action@0.11.0 + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: styfle/cancel-workflow-action@b173b6ec0100793626c2d9e6b90435061f4fc3e5 # 0.11.0 with: access_token: ${{ github.token }} @@ -45,18 +55,23 @@ jobs: name: Build Catalyst Core on Linux runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Install rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "build_cache" save-if: ${{ github.ref == 'refs/heads/main' }} @@ -74,6 +89,11 @@ jobs: env: CARGO_FLAGS: --verbose --locked steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code on PR # Workaround for the running out of disk space issue. See https://github.com/actions/runner-images/issues/1341 run: | @@ -98,7 +118,7 @@ jobs: git config --system core.longpaths true - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: workspaces: "C:\\${{ github.event.repository.name }}" save-if: ${{ github.ref == 'refs/heads/main' }} @@ -119,7 +139,7 @@ jobs: "PQ_LIB_DIR=${env:PROGRAMFILES}\PostgreSQL\14\lib" >> $env:GITHUB_ENV - name: Install rust - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} diff --git a/.github/workflows/ci-tests-n-coverage.yml b/.github/workflows/ci-tests-n-coverage.yml index 5b60d7fd0c..2d6112c37b 100644 --- a/.github/workflows/ci-tests-n-coverage.yml +++ b/.github/workflows/ci-tests-n-coverage.yml @@ -19,8 +19,14 @@ concurrency: group: ${{ github.sha }} cancel-in-progress: true +permissions: + contents: read + jobs: unit-tests: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code name: Unit Tests runs-on: ubuntu-latest needs: [integration-tests] @@ -38,26 +44,31 @@ jobs: ports: - 5432:5432 steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Install Rust toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} # it says it can read the rust-toolchain file, but it fails if we omit this components: llvm-tools-preview - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "build_cache" save-if: "false" - name: Install nextest - uses: taiki-e/install-action@nextest + uses: taiki-e/install-action@ddfbd2cab72fd94842c80ade93f28fe7ee9c71f8 # nextest - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + uses: taiki-e/install-action@cdc3afe6ed5a5d5870c227c04be4eeb43e48fc81 # cargo-llvm-cov - name: Install system deps run: @@ -102,7 +113,7 @@ jobs: cargo llvm-cov report --lcov --output-path ./lcov.info - name: Upload code coverage to coveralls.io - uses: coverallsapp/github-action@master + uses: coverallsapp/github-action@50c33ad324a9902697adbf2f92c22cf5023eacf1 # master with: github-token: ${{ secrets.GITHUB_TOKEN }} path-to-lcov: "./lcov.info" @@ -124,26 +135,31 @@ jobs: ports: - 5432:5432 steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Install Rust toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} # it says it can read the rust-toolchain file, but it fails if we omit this components: llvm-tools-preview - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "build_cache" save-if: "false" - name: Install nextest - uses: taiki-e/install-action@nextest + uses: taiki-e/install-action@ddfbd2cab72fd94842c80ade93f28fe7ee9c71f8 # nextest - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + uses: taiki-e/install-action@cdc3afe6ed5a5d5870c227c04be4eeb43e48fc81 # cargo-llvm-cov - name: Install system deps run: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..3bc9e4f50e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "python"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - name: Checkout repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..01fed9a950 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,25 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - name: 'Checkout Repository' + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4065fcffa4..88fad73d49 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -2,6 +2,9 @@ name: GitHub Pages on: [push, pull_request] +permissions: + contents: read + jobs: deploy: name: Deploy GitHub Pages @@ -13,8 +16,13 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout The Code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: fetch-depth: 0 @@ -24,7 +32,7 @@ jobs: echo "GIT_BRANCH=$GIT_BRANCH" >> $GITHUB_ENV - name: Build Docs - uses: docker://ghcr.io/input-output-hk/catalyst-gh-tools:v1.3 + uses: docker://ghcr.io/input-output-hk/catalyst-gh-tools@sha256:d4d0beee1c85b8004f14775d60e7c612e5bdab1c14eb6ddcbcebce2a4903a44b # v1.3 with: entrypoint: cargo args: make build-docs @@ -34,7 +42,7 @@ jobs: - name: Deploy Docs id: deployAttempt continue-on-error: true - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3.9.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./book/html @@ -55,7 +63,7 @@ jobs: id: deployRetry1 if: steps.deployAttempt.outcome == 'failure' continue-on-error: true - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3.9.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./book/html @@ -72,7 +80,7 @@ jobs: - name: Deploy Docs id: deployRetry2 if: steps.deployRetry1.outcome == 'failure' - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3.9.2 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./book/html diff --git a/.github/workflows/js_wallet_publish.yml b/.github/workflows/js_wallet_publish.yml index 17a8a2598b..c42ec2a371 100644 --- a/.github/workflows/js_wallet_publish.yml +++ b/.github/workflows/js_wallet_publish.yml @@ -13,12 +13,17 @@ jobs: upload_url: ${{ steps.create_release.outputs.upload_url }} version: ${{ steps.get_version.outputs.version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -45,14 +50,19 @@ jobs: ] steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: '16.x' registry-url: 'https://registry.npmjs.org' - name: Install wasm pack - uses: jetli/wasm-pack-action@v0.3.0 + uses: jetli/wasm-pack-action@f98777369a49686b132a9e8f0fdd59837bf3c3fd # v0.3.0 with: version: 'latest' diff --git a/.github/workflows/mdlint-changed.yml b/.github/workflows/mdlint-changed.yml index 0a900ba446..4c1e5525d6 100644 --- a/.github/workflows/mdlint-changed.yml +++ b/.github/workflows/mdlint-changed.yml @@ -11,15 +11,20 @@ jobs: name: Markdown Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: fetch-depth: 0 - - uses: tj-actions/changed-files@v35 + - uses: tj-actions/changed-files@04124efe7560d15e11ea2ba96c0df2989f68f1f4 # v35.6.1 id: changed-files with: files: 'book/src/**/*.md' separator: "," - - uses: DavidAnson/markdownlint-cli2-action@v9 + - uses: DavidAnson/markdownlint-cli2-action@5b7c9f74fec47e6b15667b2cc23c63dff11e449e # v9.0.0 if: steps.changed-files.outputs.any_changed == 'true' with: globs: ${{ steps.changed-files.outputs.all_changed_files }} diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index aba2ae868a..574dc0caac 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -42,8 +42,13 @@ jobs: concurrency: group: ${{ github.workflow }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Standard Discovery - uses: divnix/std-action/discover@v0.0.4 + uses: divnix/std-action/discover@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 id: discovery build-packages: needs: discover @@ -54,12 +59,17 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - - uses: divnix/std-action/run@v0.0.4 + - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} @@ -75,12 +85,17 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - - uses: divnix/std-action/run@v0.0.4 + - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} @@ -99,15 +114,20 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1.7.0 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - name: Configure Registry run: | aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin "${{ env.ECR_REGISTRY }}" - - uses: divnix/std-action/run@v0.0.4 + - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index f74bbb0def..4aa75aef4b 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -34,7 +34,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 3 steps: - - uses: styfle/cancel-workflow-action@0.11.0 + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: styfle/cancel-workflow-action@b173b6ec0100793626c2d9e6b90435061f4fc3e5 # 0.11.0 with: access_token: ${{ github.token }} @@ -42,6 +47,11 @@ jobs: name: Build test dependencies runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Free disk space # https://github.com/actions/virtual-environments/issues/709 run: | @@ -53,17 +63,17 @@ jobs: df -h - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Install rust toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "test_cache" save-if: ${{ github.ref == 'refs/heads/main' }} @@ -77,7 +87,7 @@ jobs: cargo build -p vit-servicing-station-cli -p vit-servicing-station-server -p jcli -p jormungandr -p explorer - name: Save external dependencies - uses: actions/cache/save@v3 + uses: actions/cache/save@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: | target/debug/vit-servicing-station-cli @@ -92,6 +102,11 @@ jobs: name: Build test artifacts runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Free disk space # https://github.com/actions/virtual-environments/issues/709 run: | @@ -103,23 +118,23 @@ jobs: df -h - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Install rust toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "test_cache" save-if: ${{ github.ref == 'refs/heads/main' }} - name: Install nextest - uses: taiki-e/install-action@nextest + uses: taiki-e/install-action@ddfbd2cab72fd94842c80ade93f28fe7ee9c71f8 # nextest - name: Install dependencies run: @@ -129,7 +144,7 @@ jobs: run: cargo nextest archive --archive-file nextest-archive.tar.zst - name: Save test archive - uses: actions/cache/save@v3 + uses: actions/cache/save@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: nextest-archive.tar.zst key: nextest-archive-${{ github.run_id }}-${{ github.run_attempt }} @@ -155,6 +170,11 @@ jobs: matrix: partition: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10] steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Free disk space # https://github.com/actions/virtual-environments/issues/709 run: | @@ -166,31 +186,31 @@ jobs: df -h - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Install rust toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "test_cache" save-if: ${{ github.ref == 'refs/heads/main' }} - name: Restore test archive id: archive-cache - uses: actions/cache/restore@v3 + uses: actions/cache/restore@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: nextest-archive.tar.zst key: nextest-archive-${{ github.run_id }}-${{ github.run_attempt }} - name: Restore external dependencies id: deps-cache - uses: actions/cache/restore@v3 + uses: actions/cache/restore@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: | target/debug/vit-servicing-station-cli @@ -201,7 +221,7 @@ jobs: key: deps-${{ github.run_id }}-${{ github.run_attempt }} - name: Install nextest - uses: taiki-e/install-action@nextest + uses: taiki-e/install-action@ddfbd2cab72fd94842c80ade93f28fe7ee9c71f8 # nextest - name: Install dependencies run: @@ -233,6 +253,11 @@ jobs: name: Final test results needs: catalyst-core-tests steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - run: | result="${{ needs.catalyst-core-tests.result }}" if [[ $result == "success" ]]; then @@ -249,8 +274,13 @@ jobs: needs: catalyst-core-tests if: always() steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} @@ -270,20 +300,25 @@ jobs: name: Wallet JS Binding Tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: stable - - uses: actions/setup-node@v3 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 19 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: 19 - - uses: jetli/wasm-pack-action@v0.3.0 + - uses: jetli/wasm-pack-action@f98777369a49686b132a9e8f0fdd59837bf3c3fd # v0.3.0 with: version: 'latest' @@ -309,6 +344,11 @@ jobs: name: Clippy runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Free disk space # https://github.com/actions/virtual-environments/issues/709 run: | @@ -320,12 +360,12 @@ jobs: df -h - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: ref: ${{ github.event.pull_request.head.sha }} - name: Cache rust - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1 with: shared-key: "build_cache" save-if: ${{ github.ref == 'refs/heads/main' }} @@ -335,7 +375,7 @@ jobs: sudo apt install -y protobuf-compiler libssl-dev libpq-dev libsqlite3-dev pkg-config - name: Clippy and fmt - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: ${{env.RUST_LATEST_STABLE_VERSION}} components: rustfmt, clippy diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index b954ee6614..0cb6f69608 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -17,6 +17,11 @@ jobs: # Needed to access OIDC token. id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: "Checkout code" uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 with: diff --git a/.github/workflows/title-validation.yaml b/.github/workflows/title-validation.yaml index 0248f563da..c4782db5bf 100644 --- a/.github/workflows/title-validation.yaml +++ b/.github/workflows/title-validation.yaml @@ -19,6 +19,11 @@ jobs: pull-requests: read statuses: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - uses: amannn/action-semantic-pull-request@505e44b4f33b4c801f063838b3f053990ee46ea7 # v4.6.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/src/jormungandr/ci/docker/Dockerfile b/src/jormungandr/ci/docker/Dockerfile index c3362e0f23..483bdfaf58 100644 --- a/src/jormungandr/ci/docker/Dockerfile +++ b/src/jormungandr/ci/docker/Dockerfile @@ -1,3 +1,3 @@ -FROM rust:1.55-slim +FROM rust:1.55-slim@sha256:1ee75015d02a52243217fd9e9e9ca4482ce677dc31e0248d80b4b7ce485a2cbb RUN apt-get update && apt-get install -y pkg-config libssl-dev && apt-get clean RUN cargo install cargo-audit diff --git a/src/jormungandr/docker/Dockerfile b/src/jormungandr/docker/Dockerfile index 2974c47497..ccdfbe04ea 100644 --- a/src/jormungandr/docker/Dockerfile +++ b/src/jormungandr/docker/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a jormungandr and start in genesis mode -FROM ubuntu:cosmic +FROM ubuntu:cosmic@sha256:7d657275047118bb77b052c4c0ae43e8a289ca2879ebfa78a703c93aa8fd686c LABEL MAINTAINER IOHK LABEL description="Jormungandr latest" diff --git a/src/jormungandr/docker/alpine/Dockerfile b/src/jormungandr/docker/alpine/Dockerfile index 3ffd94b5f3..9894489a2a 100644 --- a/src/jormungandr/docker/alpine/Dockerfile +++ b/src/jormungandr/docker/alpine/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a jormungandr and start in genesis mode -FROM alpine:3.9.4 +FROM alpine:3.9.4@sha256:7746df395af22f04212cd25a92c1d6dbc5a06a0ca9579a229ef43008d4d1302a LABEL MAINTAINER IOHK LABEL description="Jormungandr" diff --git a/src/vit-servicing-station/docker/master/Dockerfile b/src/vit-servicing-station/docker/master/Dockerfile index 5652fc1738..dd4508cf32 100644 --- a/src/vit-servicing-station/docker/master/Dockerfile +++ b/src/vit-servicing-station/docker/master/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a vit server -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="Vit servicing station server" diff --git a/src/vit-servicing-station/docker/soak_tests/Dockerfile b/src/vit-servicing-station/docker/soak_tests/Dockerfile index a2ef87a321..d0544e5dd6 100644 --- a/src/vit-servicing-station/docker/soak_tests/Dockerfile +++ b/src/vit-servicing-station/docker/soak_tests/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a vit server -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="VIT server soak tests" diff --git a/src/vit-testing/docker/snapshot-service-wormhole/Dockerfile b/src/vit-testing/docker/snapshot-service-wormhole/Dockerfile index f156668676..6c57ed059b 100644 --- a/src/vit-testing/docker/snapshot-service-wormhole/Dockerfile +++ b/src/vit-testing/docker/snapshot-service-wormhole/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a catalyst voting backend -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="Catalyst Disruption backend" diff --git a/src/vit-testing/docker/snapshot-service/Dockerfile b/src/vit-testing/docker/snapshot-service/Dockerfile index 3df0d94811..afaccc48ec 100644 --- a/src/vit-testing/docker/snapshot-service/Dockerfile +++ b/src/vit-testing/docker/snapshot-service/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a catalyst voting backend -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="Catalyst Snapshot Service" diff --git a/src/vit-testing/docker/vitup/demo/Dockerfile b/src/vit-testing/docker/vitup/demo/Dockerfile index ca792d8b74..503f5b4514 100644 --- a/src/vit-testing/docker/vitup/demo/Dockerfile +++ b/src/vit-testing/docker/vitup/demo/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a jormungandr voting backend -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="Jormungandr Voting backend" diff --git a/src/vit-testing/docker/vitup/mock/Dockerfile b/src/vit-testing/docker/vitup/mock/Dockerfile index ba3e26178d..ebb80ed8f1 100644 --- a/src/vit-testing/docker/vitup/mock/Dockerfile +++ b/src/vit-testing/docker/vitup/mock/Dockerfile @@ -1,6 +1,6 @@ # Simple dockerfile example to build a catalyst voting backend -FROM ubuntu:18.04 +FROM ubuntu:18.04@sha256:1e32b9c52e8f22769df41e8f61066c77b2b35b0a423c4161c0e48eca2fd24f75 LABEL MAINTAINER IOHK LABEL description="Catalyst Disruption backend" From 8e1af7d8809cac47be0f4249fa2377ec55c0cb8c Mon Sep 17 00:00:00 2001 From: minikin Date: Fri, 3 Mar 2023 15:37:52 +0100 Subject: [PATCH 2/4] chore: Update dependabot --- .github/dependabot.yml | 79 ++---------------------------------------- 1 file changed, 2 insertions(+), 77 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 27fdf3f30e..14d423184b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,84 +3,9 @@ updates: - package-ecosystem: github-actions directory: / schedule: - interval: daily + interval: monthly - package-ecosystem: cargo directory: / schedule: - interval: daily - - - package-ecosystem: pip - directory: /src/catalyst-toolbox/catalyst-toolbox/scripts/python - schedule: - interval: daily - - - package-ecosystem: npm - directory: /src/chain-wallet-libs/bindings/wallet-cordova - schedule: - interval: daily - - - package-ecosystem: npm - directory: /src/chain-wallet-libs/bindings/wallet-cordova/tests - schedule: - interval: daily - - - package-ecosystem: npm - directory: /src/chain-wallet-libs/bindings/wallet-wasm-js/js-test - schedule: - interval: daily - - - package-ecosystem: npm - directory: /src/chain-wallet-libs/bindings/wallet-wasm-js/js - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/jormungandr/ci/docker - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/jormungandr/docker - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/jormungandr/docker/alpine - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-servicing-station/docker/master - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-servicing-station/docker/soak_tests - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-testing/docker/snapshot-service-wormhole - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-testing/docker/snapshot-service - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-testing/docker/vitup/demo - schedule: - interval: daily - - - package-ecosystem: docker - directory: /src/vit-testing/docker/vitup/mock - schedule: - interval: daily - - - package-ecosystem: pip - directory: /utilities/ideascale-importer - schedule: - interval: daily + interval: monthly From 6286ea928c197dd8b3f6c744b005e2f7df71a0a6 Mon Sep 17 00:00:00 2001 From: minikin Date: Mon, 6 Mar 2023 12:46:30 +0100 Subject: [PATCH 3/4] Update gh-pages.yml --- .github/workflows/gh-pages.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 88fad73d49..bb65599e07 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -2,9 +2,6 @@ name: GitHub Pages on: [push, pull_request] -permissions: - contents: read - jobs: deploy: name: Deploy GitHub Pages From 19a37d1915670cd86f82cb01aa5b95cb03a17a73 Mon Sep 17 00:00:00 2001 From: minikin Date: Mon, 6 Mar 2023 12:53:28 +0100 Subject: [PATCH 4/4] Update nix.yml --- .github/workflows/nix.yml | 36 ++++++++---------------------------- 1 file changed, 8 insertions(+), 28 deletions(-) diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 574dc0caac..bc0daa98e4 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -42,13 +42,8 @@ jobs: concurrency: group: ${{ github.workflow }} steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Standard Discovery - uses: divnix/std-action/discover@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 + uses: divnix/std-action/discover@v0.0.4 id: discovery build-packages: needs: discover @@ -59,17 +54,12 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 + - uses: divnix/std-action/run@v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} @@ -85,17 +75,12 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 + - uses: divnix/std-action/run@v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} @@ -114,23 +99,18 @@ jobs: name: ${{ matrix.target.cell }} - ${{ matrix.target.name }} runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v2.2.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + uses: aws-actions/configure-aws-credentials@v1.7.0 with: role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: ${{ env.AWS_REGION }} - name: Configure Registry run: | aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin "${{ env.ECR_REGISTRY }}" - - uses: divnix/std-action/run@ee2bde0566b88637cbf47b8efedb6a5063caadd1 # v0.0.4 + - uses: divnix/std-action/run@v0.0.4 with: extra_nix_config: | ${{ needs.discover.outputs.nix_conf }} json: ${{ toJSON(matrix.target) }} nix_key: ${{ secrets.NIX_SIGNING_KEY }} - cache: ${{ env.S3_CACHE }} + cache: ${{ env.S3_CACHE }} \ No newline at end of file