diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml deleted file mode 100644 index de72ea3ffa..0000000000 --- a/.github/workflows/actions.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Lint GitHub Actions - -on: - push: - paths: - - '.github/workflows/*.ya?ml' - branches: - - main - pull_request: - paths: - - '.github/workflows/*.ya?ml' - -concurrency: - group: "actionlint-${{ github.ref }}" - cancel-in-progress: ${{ github.event_name == 'pull_request' }} - -permissions: {} - -jobs: - lint: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - persist-credentials: false - - - name: lint wit zizmor - run: | - pipx install zizmor - zizmor --gh-token ${{ secrets.GITHUB_TOKEN }} --format sarif . > results.sarif || true - - - name: Upload SARIF file - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: results.sarif - path: results.sarif - - upload: - needs: lint - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Download SARIF file - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 - with: - name: results.sarif - path: results.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 - with: - sarif_file: results.sarif - category: actions-zizmor diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 730dcd9519..96a4cc76a5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -18,8 +18,7 @@ jobs: name: Analyze (${{ matrix.language }}) runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: - # required for all workflows - security-events: write + security-events: write # required for CodeQL to upload security scan results strategy: fail-fast: false @@ -39,12 +38,12 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 + uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: languages: ${{ matrix.language }} build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5 + uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index ef37b06a07..472c2cc184 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -13,10 +13,11 @@ permissions: {} jobs: dependency-review: + name: Dependency vulnerability scan runs-on: ubuntu-latest permissions: - contents: read - pull-requests: write + contents: read # for actions/checkout + pull-requests: write # for actions/dependency-review-action to comment on PRs steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index fb8934e762..24960bfb14 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -13,12 +13,10 @@ permissions: jobs: build: + name: Build and test lambda functions runs-on: ubuntu-latest - strategy: - matrix: - node: [22] container: - image: node:${{ matrix.node }} + image: node:22@sha256:2bb201f33898d2c0ce638505b426f4dd038cc00e5b2b4cbba17b069f0fff1496 defaults: run: working-directory: ./lambdas diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 8db7b13774..299683581b 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -7,7 +7,8 @@ on: push: branches: [ "main" ] -permissions: read-all +permissions: + contents: read # for actions/checkout and repository analysis jobs: analysis: @@ -15,8 +16,8 @@ jobs: runs-on: ubuntu-latest if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' permissions: - security-events: write - id-token: write + security-events: write # for github/codeql-action/upload-sarif to upload security scan results + id-token: write # for ossf/scorecard-action to generate attestations steps: - name: Harden the runner (Audit all outbound calls) @@ -48,6 +49,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 + uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3 with: sarif_file: results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5026752c6a..c0a45dc836 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,10 +14,10 @@ jobs: name: Release runs-on: ubuntu-latest permissions: - contents: write - actions: write - id-token: write - attestations: write + contents: write # for release-please-action to create releases and update changelogs + actions: write # for release-please-action to trigger other workflows + id-token: write # for actions/attest-build-provenance to generate attestations + attestations: write # for actions/attest-build-provenance to write attestations steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -27,6 +27,7 @@ jobs: - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: 22 + package-manager-cache: false - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false @@ -63,14 +64,16 @@ jobs: VERSION: ${{ github.event.inputs.version }} TAG_NAME: ${{ steps.release.outputs.tag_name }} ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }} + REPOSITORY: ${{ github.repository }} run: | version="${VERSION}" tag_name="${TAG_NAME}" attestation_url="${ATTESTATION_URL}" + repository="${REPOSITORY}" gh release view $version --json body -q '.body' > new-release-notes.md echo "## Attestation" >> new-release-notes.md echo "Attestation url: $attestation_url" >> new-release-notes.md - echo "Verify the artifacts by running \`gh attestation verify --repo ${{ github.repository }}\`" >> new-release-notes.md + echo "Verify the artifacts by running \`gh attestation verify --repo ${repository}\`" >> new-release-notes.md gh release edit $tag_name -F new-release-notes.md -t $tag_name - name: Upload release assets if: ${{ steps.release.outputs.releases_created == 'true' }} diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml index 9d80fb92d6..148a41f72f 100644 --- a/.github/workflows/semantic-check.yml +++ b/.github/workflows/semantic-check.yml @@ -6,8 +6,8 @@ on: - edited - synchronize permissions: - contents: read - pull-requests: read + contents: read # for actions/checkout + pull-requests: read # for amannn/action-semantic-pull-request to check PR details jobs: main: name: Semantic Commit Message Check diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3b04100446..1c5ee2bb57 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,12 +3,14 @@ on: schedule: - cron: "30 1 * * *" workflow_dispatch: -permissions: - issues: write - pull-requests: write +permissions: {} jobs: stale: + name: Mark stale issues and PRs runs-on: ubuntu-latest + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 76885568d4..3cfa242c06 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -16,7 +16,7 @@ jobs: name: Verify module strategy: matrix: - terraform: [1.5.6, "latest"] + terraform: ["1.5.6", "latest"] runs-on: ubuntu-latest container: image: hashicorp/terraform:${{ matrix.terraform }} @@ -74,7 +74,7 @@ jobs: strategy: fail-fast: false matrix: - terraform: [1.5.6, "latest"] + terraform: ["1.5.6", "latest"] module: [ "ami-housekeeper", @@ -132,16 +132,18 @@ jobs: - if: contains(matrix.terraform, '1.3.') name: Run TFLint working-directory: ${{ github.workspace }} + env: + MODULE_NAME: ${{ matrix.module }} run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }} + tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "modules/${MODULE_NAME}" + tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "modules/${MODULE_NAME}" verify_examples: name: Verify examples strategy: fail-fast: false matrix: - terraform: [1.5.6, "latest"] + terraform: ["1.5.6", "latest"] example: [ "default", @@ -195,6 +197,8 @@ jobs: - if: contains(matrix.terraform, '1.5.') name: Run TFLint working-directory: ${{ github.workspace }} + env: + EXAMPLE_NAME: ${{ matrix.example }} run: | - tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }} - tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }} + tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "examples/${EXAMPLE_NAME}" + tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "examples/${EXAMPLE_NAME}" diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 712cac9000..47ddec0c47 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -14,8 +14,8 @@ jobs: name: Auto update terraform docs runs-on: ubuntu-latest permissions: - contents: write - pull-requests: write + contents: write # for terraform-docs/gh-actions to commit documentation updates + pull-requests: write # for peter-evans/create-pull-request to create PRs with doc updates steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -61,10 +61,11 @@ jobs: delete-branch: true deploy-pages: + name: Deploy documentation to GitHub Pages needs: [docs] runs-on: ubuntu-latest permissions: - contents: write + contents: write # for actions/checkout and mkdocs gh-deploy to push to gh-pages branch steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -72,6 +73,8 @@ jobs: egress-policy: audit - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Configure Git Credentials run: | git config user.name github-actions[bot] diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000000..3c4c572cb0 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,32 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + paths: + - '.github/workflows/*.ya?ml' + branches: + - main + pull_request: + paths: + - '.github/workflows/*.ya?ml' + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + contents: read + actions: read # to read actions in status in the repo + security-events: write # to create security alerts + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + with: + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml index bbad753d6f..cd892a2bbe 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,9 +1,14 @@ rules: - artipacked: + unpinned-uses: + config: + policies: + actions/*: hash-pin + unpinned-images: ignore: - # update docs requires token to be persisted - - update-docs.yml:61:9 + # ignore, since CI is checking latest + - terraform.yml:22 + - terraform.yml:96 + - terraform.yml:161 dangerous-triggers: ignore: - # semantic check with only a read only token - - semantic-check.yml:2:1 + - semantic-check.yml:2