apply security best practices (#44)

## Summary Configure workflow files to align with security best practices for the GitHub workflows.
redhat-cop · Dec 13, 2024 · 471e92d · 471e92d
1 parent 10ffb78
commit 471e92d
Show file tree

Hide file tree

Showing 12 changed files with 101 additions and 15 deletions.
diff --git a/.github/workflows/ansible-lint-github-hosted.yml b/.github/workflows/ansible-lint-github-hosted.yml
@@ -3,7 +3,11 @@ name: Ansible Lint on GitHub-Hosted Runner
 run-name: ansible-lint validation on PR-${{ github.event.pull_request.number }}
 on:
   pull_request:
-    branches: ["main", "devel"]
+    branches: ["main"]
+
+permissions:
+  contents: read
+
 jobs:
   ansible-lint:
     name: Ansible Lint

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -4,7 +4,7 @@ run-name: Deploy to GitHub Pages
 on:
   push:
     branches:
-      - devel
+      - main
 
 permissions:
   contents: read

diff --git a/.github/workflows/issues-close-inactive.yml b/.github/workflows/issues-close-inactive.yml
@@ -6,8 +6,14 @@ on:
   schedule:
     - cron: "0 6 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   close-inactive-issues:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: close-issues

diff --git a/.github/workflows/issues-find-inactive.yml b/.github/workflows/issues-find-inactive.yml
@@ -6,8 +6,14 @@ on:
   schedule:
     - cron: "0 5 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   check-inactive:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: check-inactive

diff --git a/.github/workflows/issues-notify-inactive.yml b/.github/workflows/issues-notify-inactive.yml
@@ -6,8 +6,14 @@ on:
   issues:
     types: [labeled]
 
+permissions:
+  contents: read
+
 jobs:
   issue-labeled:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: Create comment

diff --git a/.github/workflows/issues-remove-inactive.yml b/.github/workflows/issues-remove-inactive.yml
@@ -8,8 +8,14 @@ on:
   issue_comment:
     types: [created, edited]
 
+permissions:
+  contents: read
+
 jobs:
   remove-inactive:
+    permissions:
+      issues: write  # for actions-cool/issues-helper to update issues
+      pull-requests: write  # for actions-cool/issues-helper to update PRs
     runs-on: ubuntu-latest
     steps:
       - name: remove inactive

diff --git a/.github/workflows/token_refresh_automation_hub.yml b/.github/workflows/token_refresh_automation_hub.yml
@@ -5,10 +5,18 @@ on:
   schedule:
     - cron: "0 12 1,15 * *"  # run 12pm on the 1st and 15th of the month
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
-  refresh:
-    uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main
-    with:
-      environment: release
-    secrets:
-      ah_token: ${{ secrets.RH_AUTOMATION_HUB_TOKEN }}
+refresh:
+  runs-on: ubuntu-latest
+  steps:
+    - name: Refresh the automation hub token
+      run: >-
+        curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+        -d grant_type=refresh_token
+        -d client_id=cloud-services
+        -d refresh_token="${{ secrets.RH_AUTOMATION_HUB_TOKEN }}"
+        --fail --silent --show-error --output /dev/null
diff --git a/.github/workflows/token_refresh_rh_subscription_manager.yml b/.github/workflows/token_refresh_rh_subscription_manager.yml
@@ -5,10 +5,18 @@ on:
   schedule:
     - cron: "0 12 1,15 * *"  # run 12pm on the 1st and 15th of the month
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
-  refresh:
-    uses: ansible/team-devtools/.github/workflows/ah_token_refresh.yml@main
-    with:
-      environment: release
-    secrets:
-      ah_token: ${{ secrets.RHSM_TOKEN }}
+refresh:
+  runs-on: ubuntu-latest
+  steps:
+    - name: Refresh the automation hub token
+      run: >-
+        curl https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
+        -d grant_type=refresh_token
+        -d client_id=rhsm-api
+        -d refresh_token="${{ secrets.RHSM_TOKEN }}"
+        --fail --silent --show-error --output /dev/null
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,10 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+      - id: gitleaks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 # RHIS-code
 
-[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K)
+[![Ansible Lint](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml/badge.svg)](https://github.com/redhat-cop/rhis-code/actions/workflows/ansible-lint-github-hosted.yml) [![Slack Channel](https://img.shields.io/badge/slack-channel-tech?logo=slack)](https://redhat.enterprise.slack.com/archives/C07TAP5PJ8K) [![OSSF-Scorecard Score](https://api.scorecard.dev/projects/github.com/redhat-cop/rhis-code/badge)](https://scorecard.dev/viewer/?uri=github.com/redhat-cop/rhis-code)
+
 
 
 This repository is intended to contain ansible automation code. All documents are stored on [docs](./docs).

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version is supported.
+
+## Reporting a Vulnerability
+
+For any issues or concerns, please contact: [@rhis-code-admins](https://github.com/orgs/redhat-cop/teams/rhis-code-admins)
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ run-name: Deploy to GitHub Pages @@
     on:
       push:
         branches:
-          - devel
+          - main
     permissions:
       contents: read
@@ Expand Down @@