diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c5522973..e7b394d2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,3 +17,13 @@ updates: schedule: # Check for updates to GitHub Actions every weekday interval: "weekly" + + - package-ecosystem: bundler + directory: / + schedule: + interval: daily + + - package-ecosystem: npm + directory: / + schedule: + interval: daily diff --git a/.github/workflows/MetricsActions.yml b/.github/workflows/MetricsActions.yml index ffacc747..44afc078 100644 --- a/.github/workflows/MetricsActions.yml +++ b/.github/workflows/MetricsActions.yml @@ -6,6 +6,9 @@ on: # Lines below let you run workflow manually and on each commit workflow_dispatch: push: {branches: ["main", "_staging", "master"]} +permissions: + contents: read + jobs: github-metrics: runs-on: ubuntu-latest @@ -14,7 +17,12 @@ jobs: permissions: contents: write steps: - - uses: lowlighter/metrics@latest + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: lowlighter/metrics@65836723097537a54cd8eb90f61839426b4266b6 # latest with: token: ${{ secrets.METRICS_TOKEN }} output: RalphHightowerMetrics.svg diff --git a/.github/workflows/NewYearUpdateCopyright.yml b/.github/workflows/NewYearUpdateCopyright.yml index e414230d..a40d800f 100644 --- a/.github/workflows/NewYearUpdateCopyright.yml +++ b/.github/workflows/NewYearUpdateCopyright.yml @@ -12,6 +12,11 @@ jobs: permissions: issues: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Happy New Year! run: | new_issue_url=$(gh issue create \ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b68ea219..24ce0803 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,10 +19,15 @@ jobs: env: JEKYLL_VERSION: ${{ matrix.jekyll }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout Repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set Up Ruby 3.3.6 - uses: ruby/setup-ruby@v1.226.0 + uses: ruby/setup-ruby@922ebc4c5262cd14e07bb0e1db020984b6c064fe # v1.226.0 with: ruby-version: 3.3.6 bundler-cache: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4275912c..196686e0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,12 +40,17 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/autobuild@v3.28.11 + uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -55,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3.28.11 + uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -68,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3.28.11 + uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 287f5838..e4727a72 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,7 +16,12 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: 'Checkout Repository' - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4.5.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml index 9136513c..e620489c 100644 --- a/.github/workflows/jekyll.yml +++ b/.github/workflows/jekyll.yml @@ -31,17 +31,22 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Ruby - uses: ruby/setup-ruby@v1.226.0 + uses: ruby/setup-ruby@922ebc4c5262cd14e07bb0e1db020984b6c064fe # v1.226.0 with: ruby-version: '3.3.6' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 1 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v5.0.0 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --trace --incremental --baseurl "${{ steps.pages.outputs.base_path }}" @@ -51,7 +56,7 @@ jobs: LOG_LEVEL: debug - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3.0.1 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 # Deployment job deploy: @@ -61,6 +66,11 @@ jobs: runs-on: ubuntu-latest needs: build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4.0.5 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/permission_advisor.yml b/.github/workflows/permission_advisor.yml index 79ee96a2..94319471 100644 --- a/.github/workflows/permission_advisor.yml +++ b/.github/workflows/permission_advisor.yml @@ -21,7 +21,12 @@ jobs: advisor: runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/advisor@v1.0.2-beta5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: GitHubSecurityLab/actions-permissions/advisor@babd69bc8d78e6cdece903dfdcfb72d4e1a4f00d # v1.0.2-beta5 with: name: ${{ inputs.name }} count: ${{ inputs.count }} diff --git a/.github/workflows/readme-checker.yml b/.github/workflows/readme-checker.yml index 91883877..6e27108c 100644 --- a/.github/workflows/readme-checker.yml +++ b/.github/workflows/readme-checker.yml @@ -8,10 +8,15 @@ jobs: lint: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checking markdown - uses: DavidAnson/markdownlint-cli2-action@v19.1.0 + uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265 # v19.1.0 with: globs: | *.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d41d7f4..3ac02451 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,8 +18,13 @@ jobs: name: release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.2.2 - - uses: actions/setup-node@v4.3.0 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: cache: npm node-version: lts/* diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 204e51af..86b5b415 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -14,23 +14,28 @@ jobs: security-events: write id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@v2.4.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload artifact - uses: actions/upload-artifact@v4.6.1 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@v3.28.11 + uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11 with: sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index ed6d75c7..e128ef02 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -40,8 +40,13 @@ jobs: main: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: semantic release - uses: amannn/action-semantic-pull-request@v5.5.3 + uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 570dced1..5a8e5f74 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,11 +38,11 @@ jobs: with: egress-policy: audit - - uses: actions/checkout@v4.2.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: git config --global user.name github-actions - run: git config --global user.email github-actions@github.com - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4.3.0 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: node-version: ${{ matrix.node-version }} cache: npm @@ -56,12 +56,17 @@ jobs: timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Test - - uses: actions/checkout@v4.2.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: git config --global user.name github-actions - run: git config --global user.email github-actions@github.com - name: Use Node.js from .nvmrc - uses: actions/setup-node@v4.3.0 + uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0 with: node-version-file: .nvmrc cache: npm @@ -78,6 +83,11 @@ jobs: - test_matrix if: ${{ !cancelled() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: All matrix versions passed if: ${{ !(contains(needs.*.result, 'failure')) }} run: exit 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..a678a4a3 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: RuboCop +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace