Harden Workflow Security

.github/workflows/actions-versions-updater.yml

@@ -6,20 +6,31 @@ on:
     - cron:  '0 0 1 * *'
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/[email protected]
         with:
-          token: ${{ secrets.BUMPVERSION_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           persist-credentials: true
+
       - name: Run GitHub Actions Version Updater
         uses: saadmk11/[email protected]
         with:
-          token: ${{ secrets.BUMPVERSION_TOKEN }}
+          token: ${{ secrets.ACTIONS_VERSION_UPDATER_TOKEN }}
           committer_email: 'bumpversion[bot]@ouranos.ca'
           committer_username: 'update-github-actions[bot]'
           pull_request_title: '[bot] Update GitHub Action Versions'
           pull_request_team_reviewers: "xclim-core"
+          update_version_with: "release-commit-sha"

.github/workflows/add-to-project.yml

@@ -5,6 +5,9 @@ on:
     types:
       - opened
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   add-to-project:
     name: Add Issue to xclim Project

.github/workflows/bump-version.yml

@@ -23,11 +23,18 @@ on:
       - tox.ini
       - xclim/__init__.py
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   bump_patch_version:
     name: Bumpversion Patch
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
         with:
           persist-credentials: false

.github/workflows/cache-cleaner.yml

@@ -5,10 +5,18 @@ on:
     types:
       - closed
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/[email protected]
 

.github/workflows/codeql-analysis.yml

@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '30 23 * * 5'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  actions: read
+
 jobs:
   analyze:
     name: Analyze
@@ -33,6 +36,10 @@ jobs:
         language:
           - 'python'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/[email protected]
       # Initializes the CodeQL tools for scanning.

.github/workflows/first_pull_request.yml

@@ -10,6 +10,11 @@ jobs:
     name: Welcome
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - uses: actions/[email protected]
         with:
           script: |

.github/workflows/main.yml

@@ -26,6 +26,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   lint:
     name: Black (Python${{ matrix.python-version }})
@@ -39,6 +43,10 @@ jobs:
         python-version:
           - "3.8"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/[email protected]
@@ -65,6 +73,10 @@ jobs:
           - tox-env: "py39"  # "py39-coverage"
             python-version: "3.9"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/[email protected]
@@ -109,6 +121,10 @@ jobs:
             python-version: "3.11"
             markers: -m 'not slow and not requires_internet'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Install Eigen3
         if: contains(matrix.tox-env, 'sbck')
@@ -148,6 +164,10 @@ jobs:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
         uses: mamba-org/[email protected]
@@ -202,6 +222,10 @@ jobs:
     runs-on: ubuntu-latest
     container: python:3-slim
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - name: Coveralls Finished
         run: |
           python -m pip install --upgrade coveralls

.github/workflows/publish-mastodon.yml

@@ -20,57 +20,61 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
 
-    - name: Checkout
-      uses: actions/[email protected]
+      - name: Checkout
+        uses: actions/[email protected]
 
-    - name: Current Version
-      if: ${{ !github.event.inputs.version-tag }}
-      run: |
-        CURRENT_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
-        echo "version=v${CURRENT_VERSION}" >> $GITHUB_ENV
-    - name: Set Version from Input
-      if: ${{ github.event.inputs.version-tag }}
-      run: |
-        echo "version=${{ github.event.inputs.version-tag }}" >> $GITHUB_ENV
+      - name: Current Version
+        if: ${{ !github.event.inputs.version-tag }}
+        run: |
+          CURRENT_VERSION="$(grep -E '__version__'  xclim/__init__.py | cut -d ' ' -f3)"
+          echo "version=v${CURRENT_VERSION}" >> $GITHUB_ENV
+      - name: Set Version from Input
+        if: ${{ github.event.inputs.version-tag }}
+        run: |
+          echo "version=${{ github.event.inputs.version-tag }}" >> $GITHUB_ENV
 
-    - name: Get Release Description
-      if: ${{ !endsWith(env.current_version, '-dev') }}
-      id: get_release_description
-      run: |
-        # Fetch the release information using the GitHub API
-        RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-          "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.version }}")
+      - name: Get Release Description
+        if: ${{ !endsWith(env.current_version, '-dev') }}
+        id: get_release_description
+        run: |
+          # Fetch the release information using the GitHub API
+          RELEASE_INFO=$(curl -sH "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ env.version }}")
 
-        # Extract the release description from the response
-        RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body)
+          # Extract the release description from the response
+          RELEASE_DESCRIPTION=$(echo "$RELEASE_INFO" | jq -r .body)
 
-        # Remove Markdown links and the space preceding them
-        CLEANED_DESCRIPTION=$(echo "$RELEASE_DESCRIPTION" | sed -E 's/\ \(\[[^]]+\]\([^)]+\)\)//g')
+          # Remove Markdown links and the space preceding them
+          CLEANED_DESCRIPTION=$(echo "$RELEASE_DESCRIPTION" | sed -E 's/\ \(\[[^]]+\]\([^)]+\)\)//g')
 
-        # Extract the first line of the release description
-        CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1)
+          # Extract the first line of the release description
+          CONTRIBUTORS=$(echo "$CLEANED_DESCRIPTION" | head -n 1)
 
-        echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV
+          echo "contributors=${CONTRIBUTORS}" >> $GITHUB_ENV
 
-    - name: Prepare Message
-      id: render_template
-      uses: chuhlomin/[email protected]
-      with:
-        template: .github/publish-mastodon.template.md
-        vars: |
-          version: ${{ env.version }}
+      - name: Prepare Message
+        id: render_template
+        uses: chuhlomin/[email protected]
+        with:
+          template: .github/publish-mastodon.template.md
+          vars: |
+            version: ${{ env.version }}
 
-    - name: Message Preview
-      run: |
-        echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
+      - name: Message Preview
+        run: |
+          echo "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
 
-    - name: Send toot to Mastodon
-      if: ${{ github.event.inputs.dry-run != 'true' }} || ${{ github.event_name == 'release' }}
-      uses: cbrgm/[email protected]
-      with:
-        message: "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
-        visibility: "public"
-      env:
-        MASTODON_URL: ${{ secrets.MASTODON_URL }}
-        MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}
+      - name: Send toot to Mastodon
+        if: ${{ github.event.inputs.dry-run != 'true' }} || ${{ github.event_name == 'release' }}
+        uses: cbrgm/[email protected]
+        with:
+          message: "${{ steps.render_template.outputs.result }}${{ env.contributors }}"
+          visibility: "public"
+        env:
+          MASTODON_URL: ${{ secrets.MASTODON_URL }}
+          MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}

.github/workflows/publish-pypi.yml

@@ -5,6 +5,9 @@ on:
     types:
       - published
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-n-publish-pypi:
     name: Build and publish Python 🐍 distributions 📦 to PyPI
@@ -14,6 +17,10 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python3
         uses: actions/[email protected]

.github/workflows/tag-testpypi.yml

@@ -5,6 +5,9 @@ on:
     tags:
       - 'v*'
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   build-n-publish-testpypi:
     name: Build and publish Python 🐍 distributions 📦 to TestPyPI
@@ -14,6 +17,10 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
       - name: Set up Python3
         uses: actions/[email protected]

.github/workflows/testdata_version.yml

@@ -9,10 +9,16 @@ on:
     paths:
       - .github/workflows/main.yml
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   use-latest-tag:
     name: Check Latest xclim-testdata Tag
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/[email protected]
       - name: Find xclim-testdata Tag and CI Testing Branch

.github/workflows/upstream.yml

@@ -16,10 +16,16 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
   upstream-dev:
     name: test-upstream-dev (Python${{ matrix.python-version }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     if: |
       (github.event_name == 'schedule') ||
       (github.event_name == 'workflow_dispatch') ||
@@ -33,6 +39,10 @@ jobs:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
       - uses: actions/[email protected]
         with:
           fetch-depth: 0 # Fetch all history for all branches and tags.

CHANGES.rst

@@ -28,6 +28,7 @@ Internal changes
 ^^^^^^^^^^^^^^^^
 * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`)
 * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`).
+* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`).
 
 v0.47.0 (2023-12-01)
 --------------------