ci: Pin deps and limit token permissions (#1852)

* ci: Pin deps Fixes #1843 * permissions: read-all * Fix * Again * Again * pin rustup * Cannot pin ilammy/msvc-dev-cmd * Again * rustup * Again * Again * Fix merge * Again --------- Signed-off-by: Lars Eggert <lars@eggert.org>
mozilla · Apr 24, 2024 · 0a84268 · 0a84268
1 parent 17c45d8
commit 0a84268
Show file tree

Hide file tree

Showing 11 changed files with 52 additions and 29 deletions.
diff --git a/.github/actions/nss/action.yml b/.github/actions/nss/action.yml
@@ -49,14 +49,14 @@ runs:
     #
     # - name: Checkout NSPR
     #   if: env.BUILD_NSS == '1'
-    #   uses: actions/checkout@v4
+    #   uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
     #   with:
     #     repository: "nss-dev/nspr"
     #     path: ${{ github.workspace }}/nspr
 
     # - name: Checkout NSS
     #   if: env.BUILD_NSS == '1'
-    #   uses: actions/checkout@v4
+    #   uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
     #   with:
     #     repository: "nss-dev/nss"
     #     path: ${{ github.workspace }}/nss

diff --git a/.github/actions/pr-comment-data-export/action.yml b/.github/actions/pr-comment-data-export/action.yml
@@ -31,7 +31,7 @@ runs:
           echo "${{ inputs.log-url }}" > comment-data/log-url
         fi
     - if: github.event_name == 'pull_request'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: ${{ inputs.name }}
         path: comment-data

diff --git a/.github/actions/quic-interop-runner/action.yml b/.github/actions/quic-interop-runner/action.yml
@@ -24,7 +24,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout quic-interop/quic-interop-runner repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       with:
         repository: 'quic-interop/quic-interop-runner'
         path: 'quic-interop-runner'
@@ -74,7 +74,7 @@ runs:
         python run.py $ARGS 2>&1 | tee ../summary.txt || true
       shell: bash
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       id: upload-logs
       with:
         name: '${{ inputs.client }} vs. ${{ inputs.server }} logs'

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -12,14 +12,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   actionlint:
     runs-on: ubuntu-latest
     defaults:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - name: Download actionlint
         id: get_actionlint
         run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

diff --git a/.github/workflows/bench-comment.yml b/.github/workflows/bench-comment.yml
@@ -12,6 +12,8 @@ on:
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   comment:
     permissions:
@@ -21,7 +23,7 @@ jobs:
       github.event.workflow_run.event == 'pull_request' &&
       github.event.workflow_run.conclusion == 'success'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - uses: ./.github/actions/pr-comment
         with:
           name: bench

diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
@@ -14,6 +14,8 @@ env:
   RUSTFLAGS: -C link-arg=-fuse-ld=lld -C link-arg=-Wl,--no-rosegment, -C force-frame-pointers=yes
   PERF_OPT: record -F997 --call-graph fp -g
 
+permissions: read-all
+
 jobs:
   bench:
     name: Benchmark
@@ -24,10 +26,10 @@ jobs:
 
     steps:
       - name: Checkout neqo
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Checkout msquic
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           repository: microsoft/msquic
           ref: main
@@ -60,7 +62,7 @@ jobs:
 
       - name: Download cached main-branch results
         id: criterion-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: ./target/criterion
           key: criterion-${{ runner.name }}-${{ github.sha }}
@@ -220,14 +222,14 @@ jobs:
 
       - name: Cache main-branch results
         if: github.ref == 'refs/heads/main'
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         with:
           path: ./target/criterion
           key: criterion-${{ runner.name }}-${{ github.sha }}
 
       - name: Export perf data
         id: export
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: ${{ github.event.repository.name }}-${{ github.sha }}
           path: |

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   check:
     name: Build & test
@@ -39,7 +41,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
 
       - name: Install dependencies (Linux)
         if: runner.os == 'Linux'
@@ -73,6 +75,8 @@ jobs:
       - name: Set up MSVC build environment (Windows)
         if: runner.os == 'Windows'
         uses: ilammy/msvc-dev-cmd@v1
+        # TODO: Would like to pin this, but the Mozilla org allowlist requires "ilammy/msvc-dev-cmd@v1*"
+        # uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
 
       - name: Set up NSS/NSPR build environment (Windows)
         if: runner.os == 'Windows'
@@ -147,7 +151,7 @@ jobs:
         if: success() || failure()
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
         with:
           file: lcov.info
           fail_ci_if_error: false

diff --git a/.github/workflows/mutants.yml b/.github/workflows/mutants.yml
@@ -11,11 +11,13 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   mutants:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
         with:
           fetch-depth: 0
 
@@ -61,7 +63,7 @@ jobs:
           } > "$GITHUB_STEP_SUMMARY"
 
       - name: Archive mutants.out
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: always()
         with:
           name: mutants.out

diff --git a/.github/workflows/qns-comment.yml b/.github/workflows/qns-comment.yml
@@ -12,6 +12,8 @@ on:
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   comment:
     permissions:
@@ -20,7 +22,7 @@ jobs:
     if: |
       github.event.workflow_run.event == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - uses: ./.github/actions/pr-comment
         with:
           name: qns

diff --git a/.github/workflows/qns.yml b/.github/workflows/qns.yml
@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LATEST: neqo-latest
   DELIM: ' vs. '
@@ -25,15 +27,15 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+      - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+      - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
-      - uses: docker/metadata-action@v5
+      - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         id: meta
         with:
           images: ghcr.io/${{ github.repository }}-qns
@@ -46,7 +48,7 @@ jobs:
             # set latest tag for default branch
             type=raw,value=latest,enable={{is_default_branch}}
 
-      - uses: docker/build-push-action@v5
+      - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         if: github.event_name != 'pull_request'
         with:
           push: true
@@ -57,7 +59,7 @@ jobs:
           cache-to: type=gha,mode=max
           platforms: 'linux/amd64, linux/arm64'
 
-      - uses: docker/build-push-action@v5
+      - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         if: github.event_name == 'pull_request'
         id: docker_build_and_push
         with:
@@ -69,7 +71,7 @@ jobs:
           platforms: 'linux/amd64'
           outputs: type=docker,dest=/tmp/${{ env.LATEST }}.tar
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: github.event_name == 'pull_request'
         with:
           name: '${{ env.LATEST }} Docker image'
@@ -155,7 +157,7 @@ jobs:
     needs: run-qns
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
       - uses: actions/download-artifact@v4
         with:
           pattern: '*results'

diff --git a/qns/Dockerfile b/qns/Dockerfile
@@ -1,4 +1,4 @@
-FROM martenseemann/quic-network-simulator-endpoint:latest AS buildimage
+FROM martenseemann/quic-network-simulator-endpoint@sha256:12596544531465e77bdede50dd1e85b2c46c00f1634b3445eed277ca177666db AS buildimage
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl git mercurial coreutils \
@@ -13,8 +13,15 @@ ENV RUSTUP_HOME=/usr/local/rustup \
     CARGO_HOME=/usr/local/cargo \
     PATH=/usr/local/cargo/bin:$PATH
 
-RUN curl https://sh.rustup.rs -sSf | \
-    sh -s -- -y -q --no-modify-path --profile minimal --default-toolchain $RUST_VERSION
+ADD --checksum=sha256:a3d541a5484c8fa2f1c21478a6f6c505a778d473c21d60a18a4df5185d320ef8 \
+    https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init x86_64_rustup
+
+ADD --checksum=sha256:76cd420cb8a82e540025c5f97bda3c65ceb0b0661d5843e6ef177479813b0367 \
+    https://static.rust-lang.org/rustup/dist/aarch64-unknown-linux-gnu/rustup-init aarch64_rustup
+
+RUN mv $(uname -m)_rustup rustup-init && \
+    chmod +x rustup-init && \
+    ./rustup-init -y -q --no-modify-path --profile minimal --default-toolchain $RUST_VERSION
 
 ENV NSS_DIR=/nss \
     NSPR_DIR=/nspr \
@@ -35,7 +42,7 @@ RUN set -eux; \
 
 # Copy only binaries to the final image to keep it small.
 
-FROM martenseemann/quic-network-simulator-endpoint:latest
+FROM martenseemann/quic-network-simulator-endpoint@sha256:12596544531465e77bdede50dd1e85b2c46c00f1634b3445eed277ca177666db
 
 ENV LD_LIBRARY_PATH=/neqo/lib
 COPY --from=buildimage /neqo/target/release/neqo-client /neqo/target/release/neqo-server /neqo/bin/