From 895361e21770dc27aa8bee1601e7349d66106156 Mon Sep 17 00:00:00 2001 From: David Herman Date: Sun, 5 May 2024 23:02:59 -0700 Subject: [PATCH] harden the use of third-party GH actions by using explicit SHAs for any unverified providers --- .../data/templates/ci/github/build.yml.hbs | 12 +++---- .../data/templates/ci/github/release.yml.hbs | 6 ++-- .../data/templates/ci/github/setup.yml.hbs | 8 ++--- .../data/templates/ci/github/test.yml.hbs | 2 +- pkgs/create-neon/data/versions.json | 33 +++++++++++++------ 5 files changed, 37 insertions(+), 24 deletions(-) diff --git a/pkgs/create-neon/data/templates/ci/github/build.yml.hbs b/pkgs/create-neon/data/templates/ci/github/build.yml.hbs index 50916311b..b4f686a92 100644 --- a/pkgs/create-neon/data/templates/ci/github/build.yml.hbs +++ b/pkgs/create-neon/data/templates/ci/github/build.yml.hbs @@ -36,7 +36,7 @@ jobs: matrix: {{#$}} steps.matrix.outputs.result {{/$}} steps: - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} with: ref: {{#$}} inputs.ref {{/$}} - name: Setup Neon Environment @@ -49,7 +49,7 @@ jobs: run: echo "json=$(npx neon show ci github | jq -rc)" | tee -a $GITHUB_OUTPUT - name: Compute Matrix id: matrix - uses: actions/github-script@{{versions.actions.githubScript}} + uses: actions/github-script@{{versions.actions.verified.githubScript}} with: script: | const platforms = {{#$}} steps.matrixData.outputs.json {{/$}}; @@ -75,7 +75,7 @@ jobs: contents: write steps: - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} with: ref: {{#$}} inputs.ref {{/$}} - name: Setup Neon Environment @@ -105,7 +105,7 @@ jobs: echo filename=$(basename $(npm pack ./platforms/{{#$}} matrix.cfg.platform {{/$}} --silent --pack-destination=./dist --json | jq -r '.[0].filename')) | tee -a $GITHUB_OUTPUT - name: Release if: {{#$}} inputs.github-release {{/$}} - uses: softprops/action-gh-release@{{versions.actions.ghRelease}} + uses: softprops/action-gh-release@{{versions.actions.unverified.ghRelease.sha}} # {{versions.actions.unverified.ghRelease.tag}} with: files: ./dist/{{#$}} steps.pack.outputs.filename {{/$}} tag_name: {{#$}} inputs.tag {{/$}} @@ -116,7 +116,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} with: ref: {{#$}} inputs.ref {{/$}} - name: Setup Neon Environment @@ -131,7 +131,7 @@ jobs: echo "filename=$(npm pack --silent --pack-destination=./dist)" | tee -a $GITHUB_OUTPUT - name: Release if: {{#$}} inputs.github-release {{/$}} - uses: softprops/action-gh-release@{{versions.actions.ghRelease}} + uses: softprops/action-gh-release@{{versions.actions.unverified.ghRelease.sha}} # {{versions.actions.unverified.ghRelease.tag}} with: files: ./dist/{{#$}} steps.pack.outputs.filename {{/$}} tag_name: {{#$}} inputs.tag {{/$}} diff --git a/pkgs/create-neon/data/templates/ci/github/release.yml.hbs b/pkgs/create-neon/data/templates/ci/github/release.yml.hbs index 603cc60ab..6d6c7c32f 100644 --- a/pkgs/create-neon/data/templates/ci/github/release.yml.hbs +++ b/pkgs/create-neon/data/templates/ci/github/release.yml.hbs @@ -74,7 +74,7 @@ jobs: fi echo publish=true | tee -a $GITHUB_OUTPUT - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} - name: Setup Neon Environment uses: ./.github/actions/setup with: @@ -112,7 +112,7 @@ jobs: contents: write steps: - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} with: ref: {{#$}} needs.setup.outputs.ref {{/$}} - name: Setup Neon Environment @@ -120,7 +120,7 @@ jobs: with: use-rust: false - name: Fetch - uses: robinraju/release-downloader@{{versions.actions.releaseDownloader}} + uses: robinraju/release-downloader@{{versions.actions.unverified.releaseDownloader.sha}} # {{versions.actions.unverified.releaseDownloader.tag}} with: tag: {{#$}} needs.setup.outputs.tag {{/$}} fileName: "*.tgz" diff --git a/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs b/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs index 3f8ccced0..b03f6dcff 100644 --- a/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs +++ b/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs @@ -31,13 +31,13 @@ runs: using: "composite" steps: - name: Set Environment Variables - uses: falti/dotenv-action@{{versions.actions.dotenv}} + uses: falti/dotenv-action@{{versions.actions.unverified.dotenv.sha}} # {{versions.actions.unverified.dotenv.tag}} with: path: ./.github/.env export-variables: true keys-case: bypass - name: Install Node - uses: actions/setup-node@{{versions.actions.setupNode}} + uses: actions/setup-node@{{versions.actions.verified.setupNode}} with: node-version: {{#$}} env.NODE_VERSION {{/$}} registry-url: {{#$}} env.NPM_REGISTRY {{/$}} @@ -53,14 +53,14 @@ runs: working-directory: {{#$}} inputs.workspace {{/$}} - name: Install Rust if: {{#$}} inputs['use-rust'] == 'true' {{/$}} - uses: actions-rs/toolchain@{{versions.actions.setupRust}} + uses: actions-rs/toolchain@{{versions.actions.verified.setupRust}} with: toolchain: {{#$}} env.RUST_VERSION {{/$}} target: {{#$}} steps.target.outputs.target {{/$}} override: true - name: Install cross-rs if: {{#$}} inputs['use-cross'] == 'true' {{/$}} - uses: baptiste0928/cargo-install@{{versions.actions.cargoInstall}} + uses: baptiste0928/cargo-install@{{versions.actions.verified.cargoInstall}} with: crate: cross - name: Node Version diff --git a/pkgs/create-neon/data/templates/ci/github/test.yml.hbs b/pkgs/create-neon/data/templates/ci/github/test.yml.hbs index 8abb7043b..ff2d76695 100644 --- a/pkgs/create-neon/data/templates/ci/github/test.yml.hbs +++ b/pkgs/create-neon/data/templates/ci/github/test.yml.hbs @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@{{versions.actions.checkout}} + uses: actions/checkout@{{versions.actions.verified.checkout}} - name: Setup Neon Environment id: neon uses: ./.github/actions/setup diff --git a/pkgs/create-neon/data/versions.json b/pkgs/create-neon/data/versions.json index 222aa3d4a..1d3b37a1b 100644 --- a/pkgs/create-neon/data/versions.json +++ b/pkgs/create-neon/data/versions.json @@ -11,15 +11,28 @@ }, "node": "20", "actions": { - "checkout": "v3", - "githubScript": "v7", - "setupNode": "v3", - "setupRust": "v1", - "cargoInstall": "v2", - "neonBuild": "v0.9", - "neonPublish": "v0.4.1", - "dotenv": "v1", - "ghRelease": "v1", - "releaseDownloader": "v1.7" + "verified": { + "checkout": "v3", + "githubScript": "v7", + "setupNode": "v3", + "setupRust": "v1", + "cargoInstall": "v2", + "neonBuild": "v0.9", + "neonPublish": "v0.4.1" + }, + "unverified": { + "dotenv": { + "tag": "v1.1.2", + "sha": "d1cd55661714e830a6e26f608f81d36e23424fed" + }, + "ghRelease": { + "tag": "v2.0.4", + "sha": "9d7c94cfd0a1f3ed45544c887983e9fa900f0564" + }, + "releaseDownloader": { + "tag": "v1.10", + "sha": "c39a3b234af58f0cf85888573d361fb6fa281534" + } + } } }