pin actions and reduce unnecessary perms & creds

Signed-off-by: Bob Callaway <[email protected]>
transparency-dev · Dec 12, 2024 · 7b8294c · 7b8294c
1 parent 6faae37
commit 7b8294c
Show file tree

Hide file tree

Showing 11 changed files with 47 additions and 27 deletions.
diff --git a/.github/workflows/aws_integration_test.yml b/.github/workflows/aws_integration_test.yml
@@ -31,7 +31,7 @@ jobs:
     steps:
       ## Authenticate to AWS with the credentials stored in Github Secrets.
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           # TODO(phboneff): use a better form of authentication
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -40,11 +40,13 @@ jobs:
 
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       ## Authenticate with ECR to push the conformance and hammer images.
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
 
       ## Build the conformance image and push it to ECR. This will be used
       ## later on by Terragrunt.
@@ -76,7 +78,7 @@ jobs:
       ## This might happen if a previous integration test workflow has failed.
       - name: Terragrunt destroy pre conformance test
         id: terragrunt-destroy-pre
-        uses: gruntwork-io/terragrunt-action@v2
+        uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4
         with:
           tf_version: ${{ env.TF_VERSION }}
           tg_version: ${{ env.TG_VERSION }}
@@ -111,7 +113,7 @@ jobs:
       #  consider keeping it around between tests / using Aurora Serveless
       - name: Terragrunt apply
         id: terragrunt-apply
-        uses: gruntwork-io/terragrunt-action@v2
+        uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4
         with:
           tf_version: ${{ env.TF_VERSION }}
           tg_version: ${{ env.TG_VERSION }}
@@ -146,7 +148,7 @@ jobs:
 
       - name: Terragrunt destroy post conformance test
         id: terragrunt-destroy-post
-        uses: gruntwork-io/terragrunt-action@v2
+        uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4
         with:
           tf_version: ${{ env.TF_VERSION }}
           tg_version: ${{ env.TG_VERSION }}

diff --git a/.github/workflows/benchmark-go-main.yml b/.github/workflows/benchmark-go-main.yml
@@ -5,19 +5,21 @@ on:
     branches:
       - main
 
-permissions:
-  # deployments permission to deploy GitHub pages website
-  deployments: write
-  # contents permission to update benchmark contents in gh-pages branch
-  contents: write
-
 jobs:
   benchmark:
     name: Performance regression check
     runs-on: ubuntu-latest
+    permissions:
+      # deployments permission to deploy GitHub pages website
+      deployments: write
+      # contents permission to update benchmark contents in gh-pages branch
+      contents: write
+
     steps:
       - name: Fetch Repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0

diff --git a/.github/workflows/benchmark-go-pr.yml b/.github/workflows/benchmark-go-pr.yml
@@ -5,17 +5,19 @@ on:
     branches:
       - main
 
-permissions:
-  # allow posting comments to pull request
-  pull-requests: write
-
 jobs:
   benchmark:
     name: Performance regression check
     runs-on: ubuntu-latest
+    permissions:
+      # allow posting comments to pull request
+      pull-requests: write
+
     steps:
       - name: Fetch Repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start Tessera
         run: docker compose -f ./cmd/conformance/mysql/docker/compose.yaml up --build --detach
       - name: Run benchmark
@@ -26,6 +28,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start Tessera
         run: docker compose -f ./cmd/conformance/posix/docker/compose.yaml up --build --detach
       - name: Run benchmark

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -19,9 +19,6 @@ on:
   schedule:
     - cron: '15 10 * * 1'
 
-# Declare default permissions as read only.
-permissions: read-all
-
 jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
@@ -59,6 +56,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

diff --git a/.github/workflows/generated_files.yml b/.github/workflows/generated_files.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Check out the repository to the runner
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Regenerate the log test data
         run: ./testdata/build_log.sh
       - name: Confirm there are no diffs

diff --git a/.github/workflows/go_test.yml b/.github/workflows/go_test.yml
@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Fetch repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0
@@ -36,6 +38,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start MySQL
         run: |
           sudo /etc/init.d/mysql start
@@ -54,6 +58,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start MySQL
         run: |
           sudo /etc/init.d/mysql start

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Fetch repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install Go
         uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0
         with:

diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start Docker services (tessera-conformance-mysql-db and tessera-conformance-mysql)
         run: docker compose -f ./cmd/conformance/mysql/docker/compose.yaml up --build --detach
       - name: Run integration test 
@@ -26,6 +28,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Start Docker services (tessera-conformance-posix)
         run: docker compose -f ./cmd/conformance/posix/docker/compose.yaml up --build --detach
       - name: Run integration test 

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -14,9 +14,6 @@ on:
   push:
     branches: [ "main" ]
 
-# Declare default permissions as read only.
-permissions: read-all
-
 jobs:
   analysis:
     name: Scorecard analysis
@@ -26,9 +23,8 @@ jobs:
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
+      # Needed to check out code
+      contents: read
 
     steps:
       - name: "Checkout code"

diff --git a/.github/workflows/terragrunt_test.yml b/.github/workflows/terragrunt_test.yml
@@ -2,19 +2,20 @@ name: 'Terragrunt format check'
 on:
   - pull_request
 
-# Declare default permissions as read only.
-permissions: read-all
-
 env:
   tf_version: '1.5.7'
   tg_version: '0.55.1'
 
 jobs:
   checks:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: 'Checkout'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Check terragrunt HCL
         uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2