Skip to content

Commit b760f94

Browse files
MartinWheelerMTMartinWheelerMT
authored
NAID-3331: NHS best practices for GitHub Actions (#338)
* Restrict permissions per job to ensure that only the least required permissions are granted in `build` workflow. * Use SHAs for GitHub Actions `actions` instead of versions to ensure we have control over exactly which version is being used in `build` workflow. * Change permissions for `Create Build ID Comment` to only allow `write` on pull requests.
1 parent 91850a2 commit b760f94

File tree

1 file changed

+30
-21
lines changed

1 file changed

+30
-21
lines changed

.github/workflows/build.yml

Lines changed: 30 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
21
name: 111 Adaptor Build Workflow
32
on:
43
pull_request:
@@ -13,12 +12,14 @@ jobs:
1312
checkstyle:
1413
name: Checkstyle
1514
runs-on: ubuntu-latest
15+
permissions:
16+
contents: read
1617
steps:
1718
- name: Checkout Repository
18-
uses: actions/checkout@v4
19+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1920

2021
- name: Setup Java 21 LTS
21-
uses: actions/setup-java@v4
22+
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 #4.7.1
2223
with:
2324
java-version: 21
2425
distribution: 'temurin'
@@ -35,7 +36,7 @@ jobs:
3536
cp -r ./service/build/reports ./artifacts
3637
3738
- name: Upload Artifacts
38-
uses: actions/upload-artifact@v4
39+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
3940
if: always()
4041
with:
4142
name: 'Checkstyle Reports'
@@ -48,12 +49,14 @@ jobs:
4849
spotbugs:
4950
name: Spotbugs
5051
runs-on: ubuntu-latest
52+
permissions:
53+
contents: read
5154
steps:
5255
- name: Checkout Repository
53-
uses: actions/checkout@v4
56+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5457

5558
- name: Setup Java 21 LTS
56-
uses: actions/setup-java@v4
59+
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 #4.7.1
5760
with:
5861
java-version: 21
5962
distribution: 'temurin'
@@ -70,7 +73,7 @@ jobs:
7073
cp -r ./service/build/reports ./artifacts
7174
7275
- name: Upload Artifacts
73-
uses: actions/upload-artifact@v4
76+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
7477
if: always()
7578
with:
7679
name: 'Spotbugs Reports'
@@ -84,13 +87,15 @@ jobs:
8487
name: Unit Tests
8588
runs-on: ubuntu-latest
8689
needs: [ checkstyle, spotbugs ]
90+
permissions:
91+
contents: read
8792
steps:
8893
- name: Checkout Repository
89-
uses: actions/checkout@v4
94+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
9095
with:
9196
fetch-depth: 0
9297
- name: Setup Java 21 LTS
93-
uses: actions/setup-java@v4
98+
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 #4.7.1
9499
with:
95100
java-version: 21
96101
distribution: 'temurin'
@@ -106,7 +111,7 @@ jobs:
106111
cp -r ./service/build/reports ./artifacts
107112
108113
- name: Upload Artifacts
109-
uses: actions/upload-artifact@v4
114+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
110115
if: always()
111116
with:
112117
name: 'Unit Test Reports'
@@ -120,12 +125,14 @@ jobs:
120125
name: Integration Tests
121126
runs-on: ubuntu-latest
122127
needs: [ checkstyle, spotbugs ]
128+
permissions:
129+
contents: read
123130
steps:
124131
- name: Checkout Repository
125-
uses: actions/checkout@v4
132+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
126133

127134
- name: Setup Java 21 LTS
128-
uses: actions/setup-java@v4
135+
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 #4.7.1
129136
with:
130137
java-version: 21
131138
distribution: 'temurin'
@@ -160,7 +167,7 @@ jobs:
160167
cp -r ./scripts/logs ./artifacts
161168
162169
- name: Upload Artifacts
163-
uses: actions/upload-artifact@v4
170+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
164171
if: always()
165172
with:
166173
name: 'Integration Test Reports & Docker Logs'
@@ -182,11 +189,13 @@ jobs:
182189
name: Generate Build ID
183190
runs-on: ubuntu-latest
184191
needs: [unit-tests, integration-tests]
192+
permissions:
193+
contents: read
185194
outputs:
186195
build-id: ${{ steps.generate.outputs.buildId }}
187196
steps:
188197
- name: Checkout Repository
189-
uses: actions/checkout@v4
198+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
190199

191200
- id: generate
192201
working-directory: ./scripts
@@ -223,10 +232,10 @@ jobs:
223232
if: github.actor != 'dependabot[bot]'
224233
steps:
225234
- name: Checkout Repository
226-
uses: actions/checkout@v4
235+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
227236

228237
- name: Configure AWS Credentials
229-
uses: aws-actions/configure-aws-credentials@v4
238+
uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
230239
with:
231240
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_TO_ASSUME }}
232241
role-session-name: 111_github_action_build_workflow
@@ -261,16 +270,16 @@ jobs:
261270
name: "Create Build ID Comment"
262271
needs: [generate-build-id]
263272
continue-on-error: true
264-
permissions: write-all
273+
permissions:
274+
pull-requests: write
265275
runs-on: [ ubuntu-latest ]
266276
steps:
267277
- name: Check out code
268-
uses: actions/checkout@v4
278+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
269279
- name: Comment PR
270-
uses: thollander/actions-comment-pull-request@v3
280+
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
271281
with:
272282
message: |
273283
Images built and published to ECR using a Build Id of ${{ needs.generate-build-id.outputs.build-id }}
274284
comment-tag: images-built
275-
mode: upsert
276-
285+
mode: upsert

0 commit comments

Comments
 (0)