Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[StepSecurity] ci: Harden GitHub Actions #31

Merged

Conversation

step-security-bot
Copy link
Contributor

Summary

This is an automated pull request generated by Secure Workflows at the request of @muir. Please merge the Pull Request to incorporate the requested changes. Please tag @muir on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The least privilged token permissions were calculate using Secure WorkFlows based on the actions included in the GitHub Workflow files. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Pinned Dependencies

A pinned dependency is a dependency that is explicitly set to a specific hashed version instead of a mutable version. Pinned dependencis ensure that development and deployment are done with the same software versions which reduces deployment risks, and enables reproducibility. It can help mitigate compromised dependencies from undermining the security of the project in certain scenarios. The dependencies were pinned using Secure WorkFlows

Harden Runner

This PR adds Harden-Runner in GitHub actions workflows to improve security. It is an open-source purpose-built security monitoring agent for GitHub hosted runners. It monitors the runtime behavior of the build environment to provide security insights. Optionally, it can also lock down the build environment.

Keeping your actions up to date with Dependabot

The package ecosystem to update github-actions is added using Secure WorkFlows. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-workflows or contact us via our website.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@codecov-commenter
Copy link

codecov-commenter commented Oct 31, 2022

Codecov Report

Base: 81.36% // Head: 81.36% // No change to project coverage 👍

Coverage data is based on head (4442871) compared to base (31d65c5).
Patch has no changes to coverable lines.

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #31   +/-   ##
=======================================
  Coverage   81.36%   81.36%           
=======================================
  Files          12       12           
  Lines        1191     1191           
=======================================
  Hits          969      969           
  Misses        155      155           
  Partials       67       67           
Flag Coverage Δ
go_tests 9.65% <ø> (ø)
mysql_tests 49.45% <ø> (ø)
pg_tests 54.12% <ø> (ø)
singlestore_tests 47.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@muir muir temporarily deployed to singlestore November 1, 2022 04:01 Inactive
@muir muir merged commit 6efb9f6 into muir:main Nov 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants