[StepSecurity] Apply security best practices (#1606)

## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @Zeitsperre. Please merge the Pull Request to incorporate the requested changes. Please tag @Zeitsperre on your message if you have any questions related to the PR. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Keeping your actions up to date with Dependabot With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF). - [GitHub Security Guide](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) ### Maintain Code Quality with Pre-Commit Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities. - [Official Pre-commit documentation](https://pre-commit.com/) - [Getting Started guide](https://pre-commit.com/#getting-started) ## Feedback For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <[email protected]>
Ouranosinc · Jan 22, 2024 · 4aeabc2 · 4aeabc2
2 parents 9ac718b + 65fc23c
commit 4aeabc2
Show file tree

Hide file tree

Showing 42 changed files with 710 additions and 654 deletions.
diff --git a/...ub/workflows/actions-versions-updater.yml → .../deactivated/actions-versions-updater.yml b/...ub/workflows/actions-versions-updater.yml → .../deactivated/actions-versions-updater.yml
@@ -27,13 +27,13 @@ jobs:
             github.com:443
 
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           persist-credentials: true
 
       - name: Run GitHub Actions Version Updater
-        uses: saadmk11/[email protected]
+        uses: saadmk11/github-actions-version-updater@64be81ba69383f81f2be476703ea6570c4c8686e # v0.8.1
         with:
           token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           committer_email: 'bumpversion[bot]@ouranos.ca'

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+      time: '12:00'
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+      time: '12:00'
+    open-pull-requests-limit: 5
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -5,7 +5,7 @@ on:
     types:
       - opened
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -24,7 +24,7 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
 
-      - uses: actions/[email protected]
+      - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
         with:
           project-url: https://github.com/orgs/Ouranosinc/projects/6
           github-token: ${{ secrets.ADD_TO_PROJECT_TOKEN }}
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -23,7 +23,7 @@ on:
       - tox.ini
       - xclim/__init__.py
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -43,10 +43,10 @@ jobs:
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
-      - uses: actions/[email protected]
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: "3.x"
       - name: Config Commit Bot

diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml
@@ -5,7 +5,7 @@ on:
     types:
       - closed
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -23,7 +23,7 @@ jobs:
             objects.githubusercontent.com:443
 
       - name: Check out code
-        uses: actions/[email protected]
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Cleanup
         run: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -49,7 +49,7 @@ jobs:
             pypi.org:443
             uploads.github.com:443
       - name: Checkout repository
-        uses: actions/[email protected]
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@1245696032ecf7d39f87d54daa406e22ddf769a8

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -25,7 +25,7 @@ jobs:
             github.com:443
 
       - name: 'Checkout Repository'
-        uses: actions/[email protected]
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507
diff --git a/.github/workflows/first_pull_request.yml → .github/workflows/first-pull-request.yml b/.github/workflows/first_pull_request.yml → .github/workflows/first-pull-request.yml
@@ -5,7 +5,7 @@ on:
     types:
       - opened
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -24,7 +24,7 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
 
-      - uses: actions/[email protected]
+      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             // Get a list of all issues created by the PR opener

diff --git a/.github/workflows/label_on_approval.yml → .github/workflows/label-on-approval.yml b/.github/workflows/label_on_approval.yml → .github/workflows/label-on-approval.yml
@@ -34,7 +34,7 @@ jobs:
             api.github.com:443
 
       - name: Label Approved
-        uses: actions/[email protected]
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             github.rest.issues.addLabels({
@@ -58,20 +58,23 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
       - name: Find comment
-        uses: peter-evans/[email protected]
+        uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2.4.0
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
-          body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing
+          body-includes: This Pull Request is coming from a fork and must be manually tagged `approved` in order to perform additional testing.
       - name: Create comment
         if: |
           (steps.fc.outputs.comment-id == '') &&
           (!contains(github.event.pull_request.labels.*.name, 'approved')) &&
           (github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name)
-        uses: peter-evans/[email protected]
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -82,7 +85,7 @@ jobs:
       - name: Update comment
         if: |
           contains(github.event.pull_request.labels.*.name, 'approved')
-        uses: peter-evans/[email protected]
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -6,10 +6,15 @@
 # https://github.com/actions/labeler/blob/master/README.md
 
 name: Labeler
-on: [pull_request_target]
+on:
   # Note: potential security risk from this action using pull_request_target.
   # Do not add actions in here which need a checkout of the repo, and do not use any caching in here.
   # See: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
 
 permissions:
   contents: read
@@ -30,6 +35,7 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
-      - uses: actions/[email protected]
+
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -52,16 +52,16 @@ jobs:
             files.pythonhosted.org:443
             github.com:443
             pypi.org:443
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/[email protected]
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install pylint and tox
         run: pip install pylint tox~=4.0
       - name: Run pylint
         run: |
-          python -m pylint --rcfile=pylintrc --disable=import-error --exit-zero xclim
+          python -m pylint --rcfile=.pylintrc.toml --disable=import-error --exit-zero xclim
       - name: Run linting suite
         run: |
           python -m tox -e lint
@@ -88,9 +88,9 @@ jobs:
             github.com:443
             pypi.org:443
             raw.githubusercontent.com:443
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/[email protected]
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
@@ -148,14 +148,14 @@ jobs:
             ppa.launchpadcontent.net:443
             pypi.org:443
             raw.githubusercontent.com:443
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Install Eigen3
         if: contains(matrix.tox-env, 'sbck')
         run: |
           sudo apt-get update
           sudo apt-get install libeigen3-dev
       - name: Set up Python${{ matrix.python-version }}
-        uses: actions/[email protected]
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install tox
@@ -203,9 +203,9 @@ jobs:
             pypi.org:443
             raw.githubusercontent.com:443
             repo.anaconda.com:443
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
-        uses: mamba-org/[email protected]
+        uses: mamba-org/setup-micromamba@e820223f89c8720d6c740ca154a7adf32fcd278a # v1.7.3
         with:
           cache-downloads: true
           cache-environment: true

diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml
@@ -15,7 +15,7 @@ on:
         default: true
         type: boolean
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -30,7 +30,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/[email protected]
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Current Version
         if: ${{ !github.event.inputs.version-tag }}
@@ -63,7 +63,7 @@ jobs:
 
       - name: Prepare Message
         id: render_template
-        uses: chuhlomin/[email protected]
+        uses: chuhlomin/render-template@a473db625a96c98e519d188812dc22bcaf54ffba # v1.9
         with:
           template: .github/publish-mastodon.template.md
           vars: |
@@ -75,7 +75,7 @@ jobs:
 
       - name: Send toot to Mastodon
         if: ${{ github.event.inputs.dry-run != 'true' }} || ${{ github.event_name == 'release' }}
-        uses: cbrgm/[email protected]
+        uses: cbrgm/mastodon-github-action@d98ab3376f941df14d37d5737961de431c0838c6 # v1.0.3
         with:
           message: "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
           visibility: "public"

diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -5,7 +5,7 @@ on:
     types:
       - published
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -21,9 +21,9 @@ jobs:
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Python3
-        uses: actions/[email protected]
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: "3.x"
       - name: Install packaging libraries
@@ -33,4 +33,4 @@ jobs:
         run: |
           python -m flit build
       - name: Publish distribution 📦 to PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # v1.8.11
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -12,7 +12,8 @@ on:
   schedule:
     - cron: '41 8 * * 4'
   push:
-    branches: [ "master" ]
+    branches:
+      - master
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -26,9 +27,6 @@ jobs:
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
 
     steps:
       - name: Harden Runner
@@ -56,9 +54,6 @@ jobs:
           #   - Publish results to OpenSSF REST API for easy access by consumers
           #   - Allows the repository to include the Scorecard badge.
           #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF

diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
@@ -5,7 +5,7 @@ on:
     tags:
       - 'v*'
 
-permissions:  # added using https://github.com/step-security/secure-repo
+permissions:
   contents: read
 
 jobs:
@@ -21,9 +21,9 @@ jobs:
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
           egress-policy: audit
-      - uses: actions/[email protected]
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Python3
-        uses: actions/[email protected]
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
         with:
           python-version: "3.x"
       - name: Install packaging libraries
@@ -33,7 +33,7 @@ jobs:
         run: |
           python -m flit build
       - name: Publish distribution 📦 to Test PyPI
-        uses: pypa/[email protected]
+        uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # v1.8.11
         with:
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true