🛠️ Add Harden Runner to improve CI-security (1/2) (#956)

chains-project · Oct 30, 2024 · 83adac2 · 83adac2
1 parent c94fd2b
commit 83adac2
Show file tree

Hide file tree

Showing 11 changed files with 171 additions and 72 deletions.
diff --git a/.github/workflows/Lockfile.yml b/.github/workflows/Lockfile.yml
@@ -8,12 +8,16 @@ permissions:
   contents: read
 jobs:
   check-lockfile:
-        permissions:
-          contents: write
-        runs-on: ubuntu-latest
-        steps:
-        - name: run maven-lockfile
-          uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
-          with:
-            github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
-            include-maven-plugins: true
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          egress-policy: audit
+
+      - name: run maven-lockfile
+        uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
+        with:
+          github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
+          include-maven-plugins: true
diff --git a/.github/workflows/LockfilePR.yml b/.github/workflows/LockfilePR.yml
@@ -6,20 +6,33 @@ permissions:
   contents: read
 jobs:
   check-lockfile:
-        permissions:
-          contents: write
-        runs-on: ubuntu-latest
-        steps:
-        - name: run maven-lockfile
-          if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
-          uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
-          with:
-            github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
-            include-maven-plugins: true
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
+            repo.maven.apache.org:443
+            repo1.maven.org:443
+            sh.jbang.dev:443
 
-        - name: run maven-lockfile (fork/external)
-          if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
-          uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
-          with:
-            github-token: ${{ secrets.GITHUB_TOKEN }}
-            include-maven-plugins: true
+      - name: run maven-lockfile
+        if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
+        uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
+        with:
+          github-token: ${{ secrets.JRELEASER_GITHUB_TOKEN }}
+          include-maven-plugins: true
+
+      - name: run maven-lockfile (fork/external)
+        if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+        uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          include-maven-plugins: true
diff --git a/.github/workflows/code-qualitiy.yml b/.github/workflows/code-qualitiy.yml
@@ -10,6 +10,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            oss.sonatype.org:443
+            repo.maven.apache.org:443
+            repo.spring.io:443
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up JDK 17
         uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
@@ -36,6 +47,17 @@ jobs:
       run:
         working-directory: ${{ github.workspace }}/maven_plugin
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            oss.sonatype.org:443
+            repo.maven.apache.org:443
+            repo.spring.io:443
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Set up JDK 17
         uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -46,28 +46,39 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-    - name: Set up JDK 17
-      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
-      with:
-        java-version: '17'
-        distribution: 'temurin'
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            repo.maven.apache.org:443
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Set up JDK 17
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
 
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-    - name: build packages
-      run: mvn -B  clean package
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3
-      with:
-        category: "/language:${{matrix.language}}"
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+      - name: build packages
+        run: mvn -B  clean package
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -14,6 +14,15 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: 'Dependency Review'

diff --git a/.github/workflows/doc.yml b/.github/workflows/doc.yml
@@ -10,6 +10,15 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            repo.maven.apache.org:443
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:

diff --git a/.github/workflows/jreleaser.yml b/.github/workflows/jreleaser.yml
@@ -18,6 +18,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          egress-policy: audit
+
 # Setups the environment
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

diff --git a/.github/workflows/publish-action-artifact.yml b/.github/workflows/publish-action-artifact.yml
@@ -15,6 +15,10 @@ jobs:
       packages: write
 
     steps:
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 

diff --git a/.github/workflows/regenerate-lockfile.yml b/.github/workflows/regenerate-lockfile.yml
@@ -10,6 +10,10 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          egress-policy: audit
+
       - name: run maven-lockfile
         uses: chains-project/maven-lockfile@526cd67327ab19c7bd95be6d2d16530d80bf3c9e # v5.2.0
         with:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -31,6 +31,10 @@ jobs:
       # actions: read
 
     steps:
+      - uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml
@@ -13,27 +13,42 @@ jobs:
     runs-on: ubuntu-latest
     name: smoke test against different repos
     steps:
-    - name: checkout
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-    - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
-      with:
-        path: /root/.jbang
-        key: $-jbang-$
-        restore-keys: |
-            $-jbang-
-    - name: Set up JDK 17
-      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
-      with:
-        java-version: '17'
-        distribution: 'temurin'
-    - name: Set up Maven
-      uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
-      with:
-        maven-version: 3.9.6
-    - name: jbang
-      uses: jbangdev/setup-jbang@2b1b465a7b75f4222b81426f23a01e013aa7b95c # v0.1.1
-      with:
-        version: 0.119.0
-    - name: SmokeTest
-      run: |
-        jbang .github/smoketest/SmokeTest.java
+      - name: Harden Runner
+        uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            objects.githubusercontent.com:443
+            oss.sonatype.org:443
+            raw.githubusercontent.com:443
+            repo.maven.apache.org:443
+            repo1.maven.org:443
+            repository.sonatype.org:443
+            sh.jbang.dev:443
+
+      - name: checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        with:
+          path: /root/.jbang
+          key: $-jbang-$
+          restore-keys: |
+              $-jbang-
+      - name: Set up JDK 17
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+      - name: Set up Maven
+        uses: stCarolas/setup-maven@d6af6abeda15e98926a57b5aa970a96bb37f97d1 # v5
+        with:
+          maven-version: 3.9.6
+      - name: jbang
+        uses: jbangdev/setup-jbang@2b1b465a7b75f4222b81426f23a01e013aa7b95c # v0.1.1
+        with:
+          version: 0.119.0
+      - name: SmokeTest
+        run: |
+          jbang .github/smoketest/SmokeTest.java