From 1f7dd690d60117a1596895fead8aecf02f4b0f7c Mon Sep 17 00:00:00 2001 From: John Kjell Date: Fri, 5 Jan 2024 23:11:12 -0600 Subject: [PATCH] Pin dependencies and restrict permissions Signed-off-by: John Kjell --- .github/workflows/release.yml | 33 ++++++++++++++++++++++++---- .github/workflows/verify-licence.yml | 2 +- .github/workflows/witness.yml | 6 +++++ dev/Dockerfile.go-builder | 2 +- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 12228a80..30b53374 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,30 @@ -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout +# Copyright 2022 The Witness Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + name: release on: [push, pull_request] + +permissions: + contents: read # This is required for actions/checkout + + jobs: fmt: uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt @@ -15,6 +34,9 @@ jobs: sast: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: sast @@ -24,6 +46,9 @@ jobs: unit-test: needs: [fmt] uses: ./.github/workflows/witness.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read with: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test @@ -68,7 +93,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Download GoReleaser - run: go install github.com/goreleaser/goreleaser@latest + run: go install github.com/goreleaser/goreleaser@v1.23.0 - name: Run GoReleaser uses: testifysec/witness-run-action@40aa4ef36fc431a37de7c3faebcb66513c03b934 diff --git a/.github/workflows/verify-licence.yml b/.github/workflows/verify-licence.yml index 415eb405..6fdd09b4 100644 --- a/.github/workflows/verify-licence.yml +++ b/.github/workflows/verify-licence.yml @@ -17,7 +17,7 @@ jobs: with: go-version: '1.18.x' - name: Install addlicense - run: go install github.com/google/addlicense@latest + run: go install github.com/google/addlicense@v1.1.1 - name: Check license headers run: | set -e diff --git a/.github/workflows/witness.yml b/.github/workflows/witness.yml index 1b031473..2e353ed2 100644 --- a/.github/workflows/witness.yml +++ b/.github/workflows/witness.yml @@ -40,9 +40,15 @@ on: required: true type: string +permissions: + contents: read + jobs: witness: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 diff --git a/dev/Dockerfile.go-builder b/dev/Dockerfile.go-builder index 2f98ea11..9bf246c8 100644 --- a/dev/Dockerfile.go-builder +++ b/dev/Dockerfile.go-builder @@ -1,2 +1,2 @@ -FROM golang:1.21.3 +FROM golang:1.21.3@sha256:b113af1e8b06f06a18ad41a6b331646dff587d7a4cf740f4852d16c49ed8ad73 COPY ./bin/witness /usr/bin