From 7b8294c98b735a9b80281b0508aba91bf439f989 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Thu, 12 Dec 2024 10:36:38 -0500 Subject: [PATCH] pin actions and reduce unnecessary perms & creds Signed-off-by: Bob Callaway --- .github/workflows/aws_integration_test.yml | 12 +++++++----- .github/workflows/benchmark-go-main.yml | 14 ++++++++------ .github/workflows/benchmark-go-pr.yml | 10 ++++++---- .github/workflows/benchmark.yml | 4 ++++ .github/workflows/codeql.yml | 5 ++--- .github/workflows/generated_files.yml | 2 ++ .github/workflows/go_test.yml | 6 ++++++ .github/workflows/golangci-lint.yml | 2 ++ .github/workflows/integration_test.yml | 4 ++++ .github/workflows/scorecard.yml | 8 ++------ .github/workflows/terragrunt_test.yml | 7 ++++--- 11 files changed, 47 insertions(+), 27 deletions(-) diff --git a/.github/workflows/aws_integration_test.yml b/.github/workflows/aws_integration_test.yml index e8e5acb2..cdd1c02f 100644 --- a/.github/workflows/aws_integration_test.yml +++ b/.github/workflows/aws_integration_test.yml @@ -31,7 +31,7 @@ jobs: steps: ## Authenticate to AWS with the credentials stored in Github Secrets. - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: # TODO(phboneff): use a better form of authentication aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} @@ -40,11 +40,13 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false ## Authenticate with ECR to push the conformance and hammer images. - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1 ## Build the conformance image and push it to ECR. This will be used ## later on by Terragrunt. @@ -76,7 +78,7 @@ jobs: ## This might happen if a previous integration test workflow has failed. - name: Terragrunt destroy pre conformance test id: terragrunt-destroy-pre - uses: gruntwork-io/terragrunt-action@v2 + uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4 with: tf_version: ${{ env.TF_VERSION }} tg_version: ${{ env.TG_VERSION }} @@ -111,7 +113,7 @@ jobs: # consider keeping it around between tests / using Aurora Serveless - name: Terragrunt apply id: terragrunt-apply - uses: gruntwork-io/terragrunt-action@v2 + uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4 with: tf_version: ${{ env.TF_VERSION }} tg_version: ${{ env.TG_VERSION }} @@ -146,7 +148,7 @@ jobs: - name: Terragrunt destroy post conformance test id: terragrunt-destroy-post - uses: gruntwork-io/terragrunt-action@v2 + uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2.1.4 with: tf_version: ${{ env.TF_VERSION }} tg_version: ${{ env.TG_VERSION }} diff --git a/.github/workflows/benchmark-go-main.yml b/.github/workflows/benchmark-go-main.yml index 4e25465d..5cefab5b 100644 --- a/.github/workflows/benchmark-go-main.yml +++ b/.github/workflows/benchmark-go-main.yml @@ -5,19 +5,21 @@ on: branches: - main -permissions: - # deployments permission to deploy GitHub pages website - deployments: write - # contents permission to update benchmark contents in gh-pages branch - contents: write - jobs: benchmark: name: Performance regression check runs-on: ubuntu-latest + permissions: + # deployments permission to deploy GitHub pages website + deployments: write + # contents permission to update benchmark contents in gh-pages branch + contents: write + steps: - name: Fetch Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0 diff --git a/.github/workflows/benchmark-go-pr.yml b/.github/workflows/benchmark-go-pr.yml index e156e2d2..4baf454e 100644 --- a/.github/workflows/benchmark-go-pr.yml +++ b/.github/workflows/benchmark-go-pr.yml @@ -5,17 +5,19 @@ on: branches: - main -permissions: - # allow posting comments to pull request - pull-requests: write - jobs: benchmark: name: Performance regression check runs-on: ubuntu-latest + permissions: + # allow posting comments to pull request + pull-requests: write + steps: - name: Fetch Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0 diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index ac5aff20..c96f4971 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start Tessera run: docker compose -f ./cmd/conformance/mysql/docker/compose.yaml up --build --detach - name: Run benchmark @@ -26,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start Tessera run: docker compose -f ./cmd/conformance/posix/docker/compose.yaml up --build --detach - name: Run benchmark diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 594de57c..400744bd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,9 +19,6 @@ on: schedule: - cron: '15 10 * * 1' -# Declare default permissions as read only. -permissions: read-all - jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -59,6 +56,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/generated_files.yml b/.github/workflows/generated_files.yml index 8bdb66aa..487e2138 100644 --- a/.github/workflows/generated_files.yml +++ b/.github/workflows/generated_files.yml @@ -18,6 +18,8 @@ jobs: steps: - name: Check out the repository to the runner uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Regenerate the log test data run: ./testdata/build_log.sh - name: Confirm there are no diffs diff --git a/.github/workflows/go_test.yml b/.github/workflows/go_test.yml index 3cd4a6e8..479a7cb8 100644 --- a/.github/workflows/go_test.yml +++ b/.github/workflows/go_test.yml @@ -16,6 +16,8 @@ jobs: steps: - name: Fetch repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0 @@ -36,6 +38,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start MySQL run: | sudo /etc/init.d/mysql start @@ -54,6 +58,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start MySQL run: | sudo /etc/init.d/mysql start diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index a825e77c..7f5bee42 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -14,6 +14,8 @@ jobs: steps: - name: Fetch repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install Go uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.1.0 with: diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 1152b228..eae7e8e3 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start Docker services (tessera-conformance-mysql-db and tessera-conformance-mysql) run: docker compose -f ./cmd/conformance/mysql/docker/compose.yaml up --build --detach - name: Run integration test @@ -26,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Start Docker services (tessera-conformance-posix) run: docker compose -f ./cmd/conformance/posix/docker/compose.yaml up --build --detach - name: Run integration test diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 588efe6a..cbdf698d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,9 +14,6 @@ on: push: branches: [ "main" ] -# Declare default permissions as read only. -permissions: read-all - jobs: analysis: name: Scorecard analysis @@ -26,9 +23,8 @@ jobs: security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read + # Needed to check out code + contents: read steps: - name: "Checkout code" diff --git a/.github/workflows/terragrunt_test.yml b/.github/workflows/terragrunt_test.yml index 0c4aed41..a231459e 100644 --- a/.github/workflows/terragrunt_test.yml +++ b/.github/workflows/terragrunt_test.yml @@ -2,9 +2,6 @@ name: 'Terragrunt format check' on: - pull_request -# Declare default permissions as read only. -permissions: read-all - env: tf_version: '1.5.7' tg_version: '0.55.1' @@ -12,9 +9,13 @@ env: jobs: checks: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: 'Checkout' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Check terragrunt HCL uses: gruntwork-io/terragrunt-action@cf355638dbd066b6a70eb01f31ad9293870a0e34 # v2