From 8b40b81ee13661cced35b536b1cee3bbfe488f2e Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Fri, 10 May 2024 09:06:03 -0500 Subject: [PATCH] ci: 1770 update ci workflows for best practices and standards round2 (#1775) --- .github/CODEOWNERS | 41 ++++++++++++++++++++++++- .github/workflows/build.yml | 16 ++++++++++ .github/workflows/pages.yml | 7 +++++ .github/workflows/release-artifacts.yml | 16 ++++++++-- 4 files changed, 77 insertions(+), 3 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1b86ddb52..09a0134d9 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,41 @@ # Default code owners for entire repository -* @agadzhalov @thenswan @SimiHunjan +* @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +######################### +##### Core Files ###### +######################### + +# NOTE: Must be placed last to ensure enforcement over all other rules + +# Protection Rules for Github Configuration Files and Actions Workflows +/.github/ @hashgraph/release-engineering @hashgraph/release-engineering-managers +/.github/workflows/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Legacy Maven project files +**/pom.xml @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Gradle project files and inline plugins +/gradle/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +gradlew @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +gradlew.bat @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +**/build-logic/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +**/gradle.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +**/*.gradle.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Codacy Tool Configurations +/config/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +.remarkrc @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) +/CODEOWNERS @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Protect the repository root files +/README.md @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +**/LICENSE @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# CodeCov configuration +**/codecov.yml @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors + +# Git Ignore definitions +**/.gitignore @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors +**/.gitignore.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-java-maintainers @hashgraph/hedera-sdk-java-contributors diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 069d321b6..f8e90f4a5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,7 @@ defaults: permissions: contents: read + packages: write env: LC_ALL: C.UTF-8 @@ -29,6 +30,11 @@ jobs: name: Code Compiles runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -52,6 +58,11 @@ jobs: needs: - compile steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -108,6 +119,11 @@ jobs: needs: - compile steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index be740d47f..4dd3ea521 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -10,6 +10,8 @@ defaults: shell: bash permissions: + contents: read + packages: write id-token: write pages: write @@ -21,6 +23,11 @@ jobs: name: Publish runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 67a82ed55..fcbd721ca 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -11,6 +11,7 @@ defaults: permissions: contents: read + packages: write env: LC_ALL: C.UTF-8 @@ -22,6 +23,11 @@ jobs: name: Validate Release runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -55,13 +61,19 @@ jobs: name: Publish to Maven Central runs-on: [ self-hosted, Linux, medium, ephemeral ] needs: + # This needs clause exists solely to provide a dependency on the previous step. This publish step will not occur + # until the validate-release step completes successfully. - validate-release steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install GnuPG Tools - if: ${{ inputs.dry-run-enabled != true }} run: | if ! command -v gpg2 >/dev/null 2>&1; then echo "::group::Updating APT Repository Indices" @@ -74,7 +86,7 @@ jobs: - name: Import GPG key id: gpg_key - uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 + uses: step-security/ghaction-import-gpg@a7c87df2279f2bf2e69ba8289dfbf35fe05a4e08 # v1.0.0 with: gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }} passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}