forked from aws-powertools/powertools-lambda-python
-
Notifications
You must be signed in to change notification settings - Fork 0
39 lines (33 loc) · 1.07 KB
/
secure_workflows.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: Lockdown untrusted workflows
# PROCESS
#
# 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3)
# 2. Scans for insecure practices for inline bash scripts (shellcheck)
# 3. Fail CI and prevent PRs to be merged if any malpractice is found
# USAGE
#
# Always triggered on new PR, PR changes and PR merge.
on:
push:
paths:
- ".github/workflows/**"
pull_request:
paths:
- ".github/workflows/**"
permissions:
contents: read
jobs:
enforce_pinned_workflows:
name: Harden Security
runs-on: ubuntu-latest
permissions:
contents: read # checkout code and subsequently GitHub action workflows
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Ensure 3rd party workflows have SHA pinned
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@74606c30450304eee8660aae751818321754feb1 # v3.0.9
with:
allowlist: |
slsa-framework/slsa-github-generator
aws-powertools/actions