Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workflow Hardening - Step 2 #1578

Merged
merged 17 commits into from
Jan 10, 2024
Merged

Workflow Hardening - Step 2 #1578

merged 17 commits into from
Jan 10, 2024

Conversation

Zeitsperre
Copy link
Collaborator

@Zeitsperre Zeitsperre commented Jan 8, 2024
edited
Loading

Pull Request Checklist:

  • This PR addresses an already opened issue (for bug fixes / features)
  • Tests for the changes have been added (for bug fixes / features)
    • (If applicable) Documentation has been added / updated (for bug fixes / features)
  • CHANGES.rst has been updated (with summary of main changes)
    • Link to issue (:issue:number) and pull request (:pull:number) has been added

What kind of change does this PR introduce?

  • This updates audited workflows to restrict the URLs that they can pull from
  • gitleaks has been added as a pre-commit hook (prevents accidental committing of secrets)
  • Some permissions adjustments have been made

Does this PR introduce a breaking change?

No.

Other information:

https://github.com/gitleaks/gitleaks
https://securityscorecards.dev/viewer/?uri=github.com%2FOuranosinc%2Fxclim
https://github.com/step-security/harden-runner

@Zeitsperre Zeitsperre added the standards / conventions Suggestions on ways forward label Jan 8, 2024
@Zeitsperre Zeitsperre requested a review from a team January 8, 2024 20:55
@Zeitsperre Zeitsperre self-assigned this Jan 8, 2024
@github-actions github-actions bot added the CI Automation and Contiunous Integration label Jan 8, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 8, 2024

Note
It appears that this Pull Request modifies the main.yml workflow.

On inspection, the XCLIM_TESTDATA_BRANCH environment variable is set to the most recent tag (v2023.12.14).

No further action is required.

aulemahal
aulemahal approved these changes Jan 10, 2024
View reviewed changes
Copy link
Collaborator

@aulemahal aulemahal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for what I know

@github-actions github-actions bot added the approved Approved for additional tests label Jan 10, 2024
@Zeitsperre Zeitsperre merged commit fc178bc into master Jan 10, 2024
16 of 17 checks passed
@Zeitsperre Zeitsperre deleted the hardening-v2 branch January 10, 2024 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aulemahal aulemahal aulemahal approved these changes

Assignees

@Zeitsperre Zeitsperre

Labels
approved Approved for additional tests CI Automation and Contiunous Integration standards / conventions Suggestions on ways forward
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Zeitsperre @aulemahal