Implement Scorecard (#384)

* [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <[email protected]> * Integrate Dependency Review into PR workflow * Scorecard Annotations * Group GH Actions Updates * Only Attest Docs to be published --------- Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]>
erlef · Oct 20, 2024 · e53bf3d · e53bf3d
1 parent 6d33f07
commit e53bf3d
Show file tree

Hide file tree

Showing 8 changed files with 253 additions and 63 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,11 @@
 version: 2
 updates:
-  - package-ecosystem: github-actions
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: daily
-    open-pull-requests-limit: 10
+      interval: "weekly"
+    groups:
+      github-actions:
+        applies-to: version-updates
+        patterns:
+          - "*"
diff --git a/.github/scorecard.yml b/.github/scorecard.yml
@@ -0,0 +1,9 @@
+annotations:
+  - checks:
+      - fuzzing
+    reasons:
+      - reason: not-applicable # Erlang / Elixir is memory safe
+  - checks:
+      - packaging
+    reasons:
+      - reason: not-supported # Using Hex.pm
diff --git a/.github/workflows/part_docs.yml b/.github/workflows/part_docs.yml
@@ -23,19 +23,24 @@ jobs:
       attestations: write
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: erlef/setup-elixir@v1
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: erlef/setup-elixir@5304e04ea2b355f03681464e683d92e3b2f18451 # v1.18.2
         id: setupBEAM
         with:
           version-file: .tool-versions
           version-type: strict
-      - uses: actions/cache@v4
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: _build
           key: docs-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ steps.setupBEAM.outputs.elixir-version }}-${{ hashFiles('rebar.config') }}
           restore-keys: |
             docs-build-{{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ steps.setupBEAM.outputs.elixir-version }}-
-      - uses: actions/cache@v4
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: deps
           key: docs-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ steps.setupBEAM.outputs.elixir-version }}-${{ hashFiles('rebar.config') }}
@@ -49,17 +54,18 @@ jobs:
           tar -czvf docs.tar.gz doc
       
       - name: "Attest docs provenance"
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
         id: attest-docs-provenance
         if: "${{ github.event.inputs.attest }}"
         with:
           subject-path: 'docs.tar.gz'
       - name: "Copy docs provenance"
+        if: "${{ github.event.inputs.attest }}"
         run: cp "$ATTESTATION" docs.tar.gz.sigstore
         env:
           ATTESTATION: "${{ steps.attest-docs-provenance.outputs.bundle-path }}"
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: docs
           path: docs.tar.gz*
diff --git a/.github/workflows/part_publish.yml b/.github/workflows/part_publish.yml
@@ -22,19 +22,24 @@ jobs:
     if: "${{ inputs.releaseName }}"
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: erlef/setup-beam@v1
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # v1.18.2
         id: setupBEAM
         with:
           version-file: .tool-versions
           version-type: strict
-      - uses: actions/cache@v4
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: _build
           key: mix_hex_publish-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }}
           restore-keys: |
             mix_hex_publish-build-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-
-      - uses: actions/cache@v4
+      - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: deps
           key: mix_hex_publish-deps-${{ runner.os }}-${{ steps.setupBEAM.outputs.otp-version }}-${{ hashFiles('mix.exs') }}

diff --git a/.github/workflows/part_release.yml b/.github/workflows/part_release.yml
@@ -24,6 +24,11 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Create draft prerelease
         if: ${{ !inputs.stable }}
         env:
@@ -47,7 +52,7 @@ jobs:
             ${{ inputs.releaseName }}
             
       - name: "Download Docs Artifact"
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: docs
           path: .