Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Harden Workflow Security #1577

Merged
merged 6 commits into from
Jan 8, 2024
Merged

Harden Workflow Security #1577

merged 6 commits into from
Jan 8, 2024

Conversation

Zeitsperre
Copy link
Collaborator

@Zeitsperre Zeitsperre commented Jan 8, 2024

Pull Request Checklist:

  • This PR addresses an already opened issue (for bug fixes / features)
  • Tests for the changes have been added (for bug fixes / features)
    • (If applicable) Documentation has been added / updated (for bug fixes / features)
  • CHANGES.rst has been updated (with summary of main changes)
    • Link to issue (:issue:number) and pull request (:pull:number) has been added

What kind of change does this PR introduce?

  • Adds the harden-runner action step to all relevant workflows
  • Sets basic permissions on all relevant workflows
  • Sets actions-version-updater.yml to use a more constrained token

Does this PR introduce a breaking change?

No, but GitHub Workflows are more secure.

Other information:

https://securityscorecards.dev/viewer/?uri=github.com%2FOuranosinc%2Fxclim
https://github.com/step-security/harden-runner

@Zeitsperre Zeitsperre added the standards / conventions Suggestions on ways forward label Jan 8, 2024
@Zeitsperre Zeitsperre self-assigned this Jan 8, 2024
@github-actions github-actions bot added the CI Automation and Contiunous Integration label Jan 8, 2024
@Zeitsperre Zeitsperre requested a review from a team January 8, 2024 18:30
@github-actions github-actions bot added the approved Approved for additional tests label Jan 8, 2024
Copy link

github-actions bot commented Jan 8, 2024

Note
It appears that this Pull Request modifies the main.yml workflow.

On inspection, the XCLIM_TESTDATA_BRANCH environment variable is set to the most recent tag (v2023.12.14).

No further action is required.

@coveralls
Copy link

Coverage Status

coverage: 90.303%. remained the same
when pulling 2657d0c on hash-pinning
into fec1c74 on master.

@Zeitsperre Zeitsperre merged commit bed83c5 into master Jan 8, 2024
17 checks passed
@Zeitsperre Zeitsperre deleted the hash-pinning branch January 8, 2024 19:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Approved for additional tests CI Automation and Contiunous Integration standards / conventions Suggestions on ways forward
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants