From c52d94a5e12e8cbdb85f00af04ff100fcc4c9cca Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:14:26 -0500 Subject: [PATCH 1/6] harden workflows to prevent leaking of credentials, add ACTIONS_VERSION_UPDATER_TOKEN with restricted permissions --- .../workflows/actions-versions-updater.yml | 17 +++- .github/workflows/add-to-project.yml | 3 + .github/workflows/bump-version.yml | 7 ++ .github/workflows/cache-cleaner.yml | 8 ++ .github/workflows/codeql-analysis.yml | 9 ++ .github/workflows/first_pull_request.yml | 5 + .github/workflows/publish-mastodon.yml | 92 ++++++++++--------- .github/workflows/publish-pypi.yml | 7 ++ .github/workflows/tag-testpypi.yml | 7 ++ .github/workflows/testdata_version.yml | 3 + .github/workflows/upstream.yml | 4 + 11 files changed, 115 insertions(+), 47 deletions(-) diff --git a/.github/workflows/actions-versions-updater.yml b/.github/workflows/actions-versions-updater.yml index 45a2a02ae..14a9894e4 100644 --- a/.github/workflows/actions-versions-updater.yml +++ b/.github/workflows/actions-versions-updater.yml @@ -6,20 +6,31 @@ on: - cron: '0 0 1 * *' workflow_dispatch: +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.1 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@v4.1.1 with: - token: ${{ secrets.BUMPVERSION_TOKEN }} + token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }} persist-credentials: true + - name: Run GitHub Actions Version Updater uses: saadmk11/github-actions-version-updater@v0.8.1 with: - token: ${{ secrets.BUMPVERSION_TOKEN }} + token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }} committer_email: 'bumpversion[bot]@ouranos.ca' committer_username: 'update-github-actions[bot]' pull_request_title: '[bot] Update GitHub Action Versions' pull_request_team_reviewers: "xclim-core" + update_version_with: "release-commit-sha" diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 91add188d..9f5483b8e 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -5,6 +5,9 @@ on: types: - opened +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: add-to-project: name: Add Issue to xclim Project diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 17659bb83..dc9505d46 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -23,11 +23,18 @@ on: - tox.ini - xclim/__init__.py +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: bump_patch_version: name: Bumpversion Patch runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 with: persist-credentials: false diff --git a/.github/workflows/cache-cleaner.yml b/.github/workflows/cache-cleaner.yml index 027241a9f..f141b39a4 100644 --- a/.github/workflows/cache-cleaner.yml +++ b/.github/workflows/cache-cleaner.yml @@ -5,10 +5,18 @@ on: types: - closed +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: cleanup: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d82707b86..3207e86a4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,6 +19,11 @@ on: schedule: - cron: '30 23 * * 5' +permissions: + actions: read + contents: read + security-events: write + jobs: analyze: name: Analyze @@ -33,6 +38,10 @@ jobs: language: - 'python' steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Checkout repository uses: actions/checkout@v4.1.1 # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml index 76d8084b9..2fb5e70b2 100644 --- a/.github/workflows/first_pull_request.yml +++ b/.github/workflows/first_pull_request.yml @@ -10,6 +10,11 @@ jobs: name: Welcome runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - uses: actions/github-script@v7.0.1 with: script: | diff --git a/.github/workflows/publish-mastodon.yml b/.github/workflows/publish-mastodon.yml index 197389016..f5f839da6 100644 --- a/.github/workflows/publish-mastodon.yml +++ b/.github/workflows/publish-mastodon.yml @@ -20,57 +20,61 @@ jobs: runs-on: ubuntu-latest environment: production steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - - name: Checkout - uses: actions/checkout@v4.1.1 + - name: Checkout + uses: actions/checkout@v4.1.1 - - name: Current Version - if: ${{ !github.event.inputs.version-tag }} - run: | - CURRENT_VERSION="$(grep -E '__version__' xclim/__init__.py | cut -d ' ' -f3)" - echo "version=v${CURRENT_VERSION}" >> $GITHUB_ENV - - name: Set Version from Input - if: ${{ github.event.inputs.version-tag }} - run: | - echo "version=${{ github.event.inputs.version-tag }}" >> $GITHUB_ENV + - name: Current Version + if: ${{ !github.event.inputs.version-tag }} + run: | + CURRENT_VERSION="$(grep -E '__version__' xclim/__init__.py | cut -d ' ' -f3)" + echo "version=v${CURRENT_VERSION}" >> $GITHUB_ENV + - name: Set Version from Input + if: ${{ github.event.inputs.version-tag }} + run: | + echo "version=${{ github.event.inputs.version-tag }}" >> $GITHUB_ENV - - name: Get Release Description - if: ${{ !endsWith(env.current_version, '-dev') }} - id: get_release_description - run: | - # Fetch the release information using the GitHub API - RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ - "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.version }}") + - name: Get Release Description + if: ${{ !endsWith(env.current_version, '-dev') }} + id: get_release_description + run: | + # Fetch the release information using the GitHub API + RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.version }}") - # Extract the release description from the response - RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body) + # Extract the release description from the response + RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body) - # Remove Markdown links and the space preceding them - CLEANED_DESCRIPTION=$(echo "$RELEASE_DESCRIPTION" | sed -E 's/\ \(\[[^]]+\]\([^)]+\)\)//g') + # Remove Markdown links and the space preceding them + CLEANED_DESCRIPTION=$(echo "$RELEASE_DESCRIPTION" | sed -E 's/\ \(\[[^]]+\]\([^)]+\)\)//g') - # Extract the first line of the release description - CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1) + # Extract the first line of the release description + CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1) - echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV + echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV - - name: Prepare Message - id: render_template - uses: chuhlomin/render-template@v1.8 - with: - template: .github/publish-mastodon.template.md - vars: | - version: ${{ env.version }} + - name: Prepare Message + id: render_template + uses: chuhlomin/render-template@v1.8 + with: + template: .github/publish-mastodon.template.md + vars: | + version: ${{ env.version }} - - name: Message Preview - run: | - echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}" + - name: Message Preview + run: | + echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}" - - name: Send toot to Mastodon - if: ${{ github.event.inputs.dry-run != 'true' }} || ${{ github.event_name == 'release' }} - uses: cbrgm/mastodon-github-action@v1.0.3 - with: - message: "${{ steps.render_template.outputs.result }}${{ env.contributors }}" - visibility: "public" - env: - MASTODON_URL: ${{ secrets.MASTODON_URL }} - MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }} + - name: Send toot to Mastodon + if: ${{ github.event.inputs.dry-run != 'true' }} || ${{ github.event_name == 'release' }} + uses: cbrgm/mastodon-github-action@v1.0.3 + with: + message: "${{ steps.render_template.outputs.result }}${{ env.contributors }}" + visibility: "public" + env: + MASTODON_URL: ${{ secrets.MASTODON_URL }} + MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }} diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 4805e6567..3a80f473b 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -5,6 +5,9 @@ on: types: - published +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build-n-publish-pypi: name: Build and publish Python 🐍 distributions 📦 to PyPI @@ -14,6 +17,10 @@ jobs: id-token: write runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Set up Python3 uses: actions/setup-python@v4.7.1 diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml index d88c2fbe6..fbe586e4c 100644 --- a/.github/workflows/tag-testpypi.yml +++ b/.github/workflows/tag-testpypi.yml @@ -5,6 +5,9 @@ on: tags: - 'v*' +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build-n-publish-testpypi: name: Build and publish Python 🐍 distributions 📦 to TestPyPI @@ -14,6 +17,10 @@ jobs: id-token: write runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Set up Python3 uses: actions/setup-python@v4.7.1 diff --git a/.github/workflows/testdata_version.yml b/.github/workflows/testdata_version.yml index e5785105c..37f4a8495 100644 --- a/.github/workflows/testdata_version.yml +++ b/.github/workflows/testdata_version.yml @@ -9,6 +9,9 @@ on: paths: - .github/workflows/main.yml +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: use-latest-tag: name: Check Latest xclim-testdata Tag diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index 881d8c7c1..99dfd5f64 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -33,6 +33,10 @@ jobs: run: shell: bash -l {0} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 with: fetch-depth: 0 # Fetch all history for all branches and tags. From 6e545d11dba4ac5a856472d8dbd0f8f5c75c8196 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:19:46 -0500 Subject: [PATCH 2/6] permissions correction --- .github/workflows/codeql-analysis.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3207e86a4..e26f7942e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,10 +19,8 @@ on: schedule: - cron: '30 23 * * 5' -permissions: +permissions: # added using https://github.com/step-security/secure-repo actions: read - contents: read - security-events: write jobs: analyze: From 271fc708e66b874496051bad9acbb912a3003891 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:24:27 -0500 Subject: [PATCH 3/6] add-upstream permissions --- .github/workflows/upstream.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index 99dfd5f64..3ddaeaca6 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -16,10 +16,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: upstream-dev: name: test-upstream-dev (Python${{ matrix.python-version }}) runs-on: ubuntu-latest + permissions: + contents: read + issues: write if: | (github.event_name == 'schedule') || (github.event_name == 'workflow_dispatch') || From ef68b7ce111758151152ecdf1efdedc9bbefc5de Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:38:23 -0500 Subject: [PATCH 4/6] add permissions and hardening for main.yml --- .github/workflows/main.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1532c39d4..bb9719474 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -26,6 +26,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} +permissions: + contents: read + pull-requests: read + jobs: lint: name: Black (Python${{ matrix.python-version }}) @@ -39,6 +43,10 @@ jobs: python-version: - "3.8" steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v4.7.1 @@ -65,6 +73,10 @@ jobs: - tox-env: "py39" # "py39-coverage" python-version: "3.9" steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v4.7.1 @@ -109,6 +121,10 @@ jobs: python-version: "3.11" markers: -m 'not slow and not requires_internet' steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Install Eigen3 if: contains(matrix.tox-env, 'sbck') @@ -148,6 +164,10 @@ jobs: run: shell: bash -l {0} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - uses: actions/checkout@v4.1.1 - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} uses: mamba-org/setup-micromamba@v1.6.0 @@ -202,6 +222,10 @@ jobs: runs-on: ubuntu-latest container: python:3-slim steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit - name: Coveralls Finished run: | python -m pip install --upgrade coveralls From dd93f12a59a2986ac54b069269b04c74df176c29 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 13:44:14 -0500 Subject: [PATCH 5/6] give write permission to latest-tag --- .github/workflows/testdata_version.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/testdata_version.yml b/.github/workflows/testdata_version.yml index 37f4a8495..325833d74 100644 --- a/.github/workflows/testdata_version.yml +++ b/.github/workflows/testdata_version.yml @@ -16,6 +16,9 @@ jobs: use-latest-tag: name: Check Latest xclim-testdata Tag runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/checkout@v4.1.1 - name: Find xclim-testdata Tag and CI Testing Branch From 2657d0cd2feb60afeb809326d8c88d19bd172d33 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 8 Jan 2024 14:06:38 -0500 Subject: [PATCH 6/6] update CHANGES.rst --- CHANGES.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES.rst b/CHANGES.rst index 6452c8b76..49974f805 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -28,6 +28,7 @@ Internal changes ^^^^^^^^^^^^^^^^ * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`) * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`). +* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`). v0.47.0 (2023-12-01) --------------------