ci: enhance the security of gh workflows (#10564)

* ci: enhance security of workflows * ci: fix docs git add of search folders * chore: remove jans-tent * docs: update docs with the removal of jans tent * ci: fix pip upgrade Signed-off-by: moabu <[email protected]> * ci: fix ignore previously installed packages Signed-off-by: moabu <[email protected]> * ci: fix clean up dep in build of assets Signed-off-by: moabu <[email protected]> * ci: fix clean up dep in build of assets Signed-off-by: moabu <[email protected]> * ci: fix clean up Signed-off-by: moabu <[email protected]> * ci: fix clean up Signed-off-by: moabu <[email protected]> * ci: fix clean up Signed-off-by: moabu <[email protected]> * ci: fix clean up Signed-off-by: moabu <[email protected]> * ci: fix permission level for clean up Signed-off-by: moabu <[email protected]> * ci: skip deleting if the service doesn't have any packages Signed-off-by: moabu <[email protected]> * ci: load all pages Signed-off-by: moabu <[email protected]> * ci: load all pages Signed-off-by: moabu <[email protected]> * ci: load all pages Signed-off-by: moabu <[email protected]> --------- Signed-off-by: moabu <[email protected]>
JanssenProject · Jan 7, 2025 · 4fa6699 · 4fa6699
1 parent 02c3df7
commit 4fa6699
Show file tree

Hide file tree

Showing 52 changed files with 103 additions and 2,617 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -26,10 +26,6 @@ updates:
     schedule:
       interval: daily
 
-  - package-ecosystem: pip
-    directory: /demos/jans-tent
-    schedule:
-      interval: daily
 
   - package-ecosystem: docker
     directory: /docker-jans-all-in-one

diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
@@ -57,7 +57,7 @@ jobs:
           egress-policy: audit
 
       - name: Install Cosign
-        uses: sigstore/[email protected]
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -91,9 +91,9 @@ jobs:
         if: steps.build_docker_image.outputs.build || github.event_name == 'tags'
         run: |
           sudo apt-get update
-          sudo python3 -m pip install --upgrade pip
-          sudo pip3 install setuptools --upgrade
-          sudo pip3 install -r ./automation/requirements.txt
+          sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
+          sudo pip3 install --ignore-installed setuptools --upgrade
+          sudo pip3 install --ignore-installed -r ./automation/requirements.txt 
           sudo apt-get update
 
       #- uses: actions/delete-package-versions@v5
@@ -165,19 +165,19 @@ jobs:
           fi
 
       # UPDATE BUILD DATES INSIDE THE DOCKERFILE BEFORE BUILDING THE DEV IMAGES TRIGGERED BY JENKINS
-      - name: Setup Python 3.7
+      - name: Setup Python 3.10
         if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.7
+          python-version: "3.10"
 
       - name: Install Python dependencies
         if: github.event_name == 'workflow_dispatch' && ${{ matrix.docker-images }} != 'loadtesting-jmeter'
         run: |
           sudo apt-get update
-          sudo python3 -m pip install --upgrade pip
-          sudo pip3 install setuptools --upgrade
-          sudo pip3 install -r ./automation/requirements.txt
+          sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
+          sudo pip3 install --ignore-installed setuptools --upgrade
+          sudo pip3 install --ignore-installed -r ./automation/requirements.txt
           sudo apt-get update
           sudo apt-get install jq
 

diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -209,7 +209,10 @@ jobs:
           # END move generated chart from a previous step
           
           # copy search from nightly to all other versions. This is to ensure that the search index is available for all versions
-          for folder in v*/; do cp -r nightly/search "$folder"; done
+          for folder in v*/; do
+            cp -r nightly/search "$folder"
+            git add $folder/search && git update-index --refresh
+          done
           # END copy search from nightly to all other versions
 
           echo "Replacing release number markers with actual release number"

diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml
@@ -5,6 +5,8 @@ on:
     tags:
     - 'v**'
     - 'nightly'
+permissions:
+  contents: read
 jobs:
   publish_binary_packages:
     if: github.repository == 'JanssenProject/jans'
@@ -196,7 +198,7 @@ jobs:
       run: |
         sudo apt-get update
         sudo apt-get install -y python3 build-essential ca-certificates dbus systemd iproute2 gpg python3-pip python3-dev libpq-dev gcc
-        python3 -m pip install --upgrade pip
+        python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
         pip3 install shiv wheel setuptools
         echo "Building jans-linux-setup package"
         sudo chown -R runner:docker /home/runner/work/jans/jans        
@@ -356,8 +358,8 @@ jobs:
         git_user_signingkey: true
         git_commit_gpgsign: true
 
-    - uses: actions/setup-python@v5
-    - uses: PyO3/maturin-action@v1
+    - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+    - uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1.45.0
       with:
         working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_python
         command: build

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -40,35 +40,50 @@ on:
 concurrency:
   group: run-once
   cancel-in-progress: false
+permissions:
+  contents: read
 jobs:
   cleanup:
-    if: github.event_name == 'push' && github.event.ref == 'refs/heads/main'
     runs-on: ubuntu-20.04
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      contents: read
+      packages: write
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
       with:
         egress-policy: audit
     - name: Get version ID for 0.0.0-nightly
-      if: github.event_name == 'push' && github.ref == 'refs/heads/main'
       id: get_version_id
       run: |
-        services=$(gh api -H "Accept: application/vnd.github+json" \
-                  /orgs/JanssenProject/packages?package_type=maven \
-                  | jq -r '.[].name')
-        for service in "${services}"; do
-          version_id=$(gh api -H "Accept: application/vnd.github+json" \
-            /orgs/JanssenProject/packages/maven/io.jans.${service}/versions \
-            | jq -r '.[] | select(.name == "0.0.0-nightly") | .id')
-          echo "version_id=$version_id" >> $GITHUB_ENV
-          gh api --method DELETE \
-          -H "Accept: application/vnd.github+json" \
-          -H "X-GitHub-Api-Version: 2022-11-28" \
-          /orgs/JanssenProject/packages/maven/io.jans."${service}"/versions/"${version_id}"
+        page=1
+        services=""
+        while true; do
+          response=$(gh api -H "Accept: application/vnd.github+json" \
+            /orgs/JanssenProject/packages?package_type=maven\&per_page=100\&page=$page)
+          names=$(echo "$response" | jq -r '.[].name')
+          if [ -z "$names" ]; then
+            break
+          fi
+          services="$services $names"
+          page=$((page + 1))
         done
-
+        
+        services=$(echo "$services" | tr '\n' ' ' | sed 's/ *$//')
+        echo "Services: $services"
+          for service in $services; do
+            echo "Checking $service"
+            version_id=$(gh api -H "Accept: application/vnd.github+json" \
+              /orgs/JanssenProject/packages/maven/"${service}"/versions \
+              | jq -r '.[] | select(.name == "0.0.0-nightly") | .id')
+            echo "version_id=$version_id" >> $GITHUB_ENV
+            gh api --method DELETE \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /orgs/JanssenProject/packages/maven/"${service}"/versions/"${version_id}" || echo "Failed to delete $service"
+          done
 
   prep-matrix:
     needs: cleanup
@@ -126,18 +141,18 @@ jobs:
       with:
         egress-policy: audit
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.event.inputs.branch }}
 
     - name: Set up Java 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         java-version: '17'
         distribution: 'adopt'
 
     - name: Set up Maven
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         java-version: '17'
         distribution: 'adopt'
@@ -159,7 +174,7 @@ jobs:
 
     - name: Archive results
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: build-results
         path: ${{ matrix.service }}/target
@@ -170,7 +185,9 @@ jobs:
 
   run-tests:
     if: github.event_name == 'push' || github.event_name == 'pull_request' || (github.event_name == 'workflow_dispatch' && github.event.inputs.project == 'jans-bom, jans-orm, jans-core, jans-lock/lock-server, agama, jans-auth-server, jans-link, jans-fido2, jans-scim, jans-keycloak-link, jans-config-api, jans-keycloak-integration, jans-casa')
-    permissions: write-all
+    permissions:
+      contents: read
+      packages: write
     needs: cleanup
     runs-on: ubuntu-20.04
     env:
@@ -198,18 +215,18 @@ jobs:
       with:
         egress-policy: audit
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.event.inputs.branch }}
 
     - name: Set up Java 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         java-version: '17'
         distribution: 'adopt'
 
     - name: Set up Maven
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
       with:
         java-version: '17'
         distribution: 'adopt'
@@ -276,13 +293,13 @@ jobs:
         ls /tmp/reports/
 
     - name: Upload Test Results
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: ${{ matrix.persistence }}-test-results
         path: /tmp/reports
 
     - name: Publish Test Report ${{ matrix.persistence }}
-      uses: starburstdata/action-testng-report@v1
+      uses: starburstdata/action-testng-report@f245422953fb97ec5075d07782a1b596124b7cc4 # v1.0.5
       with:
           report_paths: /tmp/reports/${{ matrix.persistence }}*.xml
           github_token: ${{ github.token }}

diff --git a/.github/workflows/lint-flak8.yml b/.github/workflows/lint-flak8.yml
@@ -4,14 +4,16 @@ on:
     branches:
       - main
     paths:
-      #TODO: add all python projects paths below "jans-pycloudlib", "jans-cli-tui", "jans-linux-setup"
-      - 'demos/jans-tent/**'
+      - 'jans-pycloudlib/**'
+      - 'jans-cli-tui/**'
+      - 'jans-linux-setup/**'
   pull_request:
     branches:
       - main
     paths:
-      #TODO: add all python projects paths below "jans-pycloudlib", "jans-cli-tui", "jans-linux-setup"
-      - 'demos/jans-tent/**'
+      - 'jans-pycloudlib/**'
+      - 'jans-cli-tui/**'
+      - 'jans-linux-setup/**'
 
 permissions:
   contents: read
@@ -23,8 +25,11 @@ jobs:
       #max-parallel: 1
       fail-fast: false
       matrix:
-        #TODO: add all python projects paths below "jans-pycloudlib", "jans-cli-tui", "jans-linux-setup"
-        python-projects: ["demos/jans-tent"]
+        python-projects: [
+          "jans-pycloudlib",
+          "jans-cli-tui",
+          "jans-linux-setup"
+        ]
     steps:
     - name: Harden Runner
       uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1

diff --git a/.github/workflows/ops-docs.yml b/.github/workflows/ops-docs.yml
@@ -71,10 +71,10 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up Python 3.7
+      - name: Set up Python 3.10
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.7
+          python-version: "3.10"
 
       - name: Auto-merge inhouse doc prs
         run: |

diff --git a/.github/workflows/ops-label-pr-issues.yml b/.github/workflows/ops-label-pr-issues.yml
@@ -31,17 +31,17 @@ jobs:
       - name: check out code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Setup Python 3.7
+      - name: Set up Python 3.10
         uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
-          python-version: 3.7
+          python-version: "3.10"
 
       - name: Install dependencies
         run: |
           sudo apt-get update
-          sudo python3 -m pip install --upgrade pip
-          sudo pip3 install setuptools --upgrade
-          sudo pip3 install -r ./automation/requirements.txt
+          sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
+          sudo pip3 install --ignore-installed setuptools --upgrade
+          sudo pip3 install --ignore-installed -r ./automation/requirements.txt
           sudo apt-get update
           sudo apt-get install jq
           curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,12 +10,17 @@ jobs:
     strategy:
       fail-fast: false
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
     - name: Checkout
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: 0
 
-    - uses: googleapis/release-please-action@v4
+    - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
       id: release-please
       with:
          release-type: simple

diff --git a/.github/workflows/sanitary-github-cache.yml b/.github/workflows/sanitary-github-cache.yml
@@ -4,7 +4,8 @@ on:
     types:
       - closed
   workflow_dispatch:
-
+permissions:
+  contents: read
 jobs:
   cleanup:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/sanitary-workflow-runs.yml b/.github/workflows/sanitary-workflow-runs.yml
@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: '0 0 */2 * *'
   workflow_dispatch:
+permissions:
+  contents: read
 jobs:
   del_runs:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/scan-sonar.yml b/.github/workflows/scan-sonar.yml
@@ -55,7 +55,8 @@ on:
       - '!**.txt'
 
   workflow_dispatch:
-
+permissions:
+  contents: read
 jobs:
   sonar-scan:
     name: sonar scan
@@ -82,7 +83,9 @@ jobs:
         jans-linux-setup
         jans-cli-tui
         jans-pycloudlib
-
+    permissions:
+        contents: read
+        pull-requests: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1

diff --git a/.github/workflows/test-cedarling.yml b/.github/workflows/test-cedarling.yml
@@ -19,7 +19,7 @@ jobs:
         egress-policy: audit
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@stable
+      uses: dtolnay/rust-toolchain@1ff72ee08e3cb84d84adba594e0a297990fc1ed3 # stable
     - name: Run Tests
       run: |
         cd ./jans-cedarling
@@ -45,7 +45,7 @@ jobs:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
       run: |
-        python3 -m pip install --upgrade pip
+        python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
         python3 -m pip install tox
     - name: Test with pytest
       run: |