diff --git a/.github/dependabot.yml b/.github/dependabot.yml index dcb79b06..867c18db 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,6 +3,8 @@ version: 2 updates: - package-ecosystem: github-actions + cooldown: + default-days: 7 directory: / schedule: interval: weekly @@ -14,16 +16,22 @@ updates: commit-message: prefix: "ci(deps)" - package-ecosystem: docker + cooldown: + default-days: 7 directories: - .devcontainer/cpp - .devcontainer/rust schedule: interval: weekly - package-ecosystem: devcontainers + cooldown: + default-days: 7 directory: / schedule: interval: weekly - package-ecosystem: npm + cooldown: + default-days: 7 directory: / schedule: interval: weekly @@ -35,6 +43,8 @@ updates: commit-message: prefix: "test(deps)" - package-ecosystem: pip + cooldown: + default-days: 7 directory: .devcontainer schedule: interval: weekly diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index c22d3fb2..52f0425d 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -25,13 +25,12 @@ jobs: TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} permissions: - actions: read - attestations: write - checks: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments with: devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile @@ -46,14 +45,14 @@ jobs: uses: ./.github/workflows/wc-dependency-review.yml permissions: contents: read - pull-requests: write + pull-requests: write # is needed by actions/dependency-review-action to write PR summaries publish-test-results: name: ๐Ÿ“Š Publish Test Results runs-on: ubuntu-latest permissions: - checks: write - pull-requests: write + checks: write # is needed by EnricoMi/publish-unit-test-result-action to add a check run with test results + pull-requests: write # is needed by EnricoMi/publish-unit-test-result-action to annotate PRs needs: build-push-test if: ${{ !cancelled() }} steps: diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index 81ecbe23..859b3255 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -13,9 +13,7 @@ jobs: name: ๐Ÿงน Clean Images runs-on: ubuntu-latest permissions: - # dataaxiom/ghcr-cleanup-action needs packages write permission - # to delete untagged and orphaned images - packages: write + packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index dbebf1c6..132fa01c 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -12,8 +12,8 @@ jobs: name: โ™ป๏ธ Close Stale Issues & PRs runs-on: ubuntu-latest permissions: - issues: write - pull-requests: write + issues: write # is needed by actions/stale to close/comment on issues + pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index c4b73cde..5d680d83 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -13,7 +13,7 @@ jobs: name: Create tool version evaluation issue runs-on: ubuntu-latest permissions: - issues: write + issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 042fcc63..021f948d 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -14,8 +14,7 @@ concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: linter: @@ -23,9 +22,9 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - actions: read - pull-requests: write - security-events: write + actions: read # is needed by zizmorcore/zizmor-action + pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments + security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -55,6 +54,6 @@ jobs: name: Linter Report path: | megalinter-reports - - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.19.0 + - uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1.24.0 with: tool_name: MegaLinter diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 1971367a..4a0e276b 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -9,15 +9,16 @@ on: push: branches: [main] -permissions: read-all +permissions: {} jobs: ossf-scorecard: name: ๐Ÿ›ก๏ธ OpenSSF Scorecard runs-on: ubuntu-latest permissions: - security-events: write - id-token: write + contents: read + security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files + id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index 21a24e54..f3b3e03f 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -15,7 +15,7 @@ jobs: name: โœ… Validate PR Title runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -44,9 +44,8 @@ jobs: :warning: Details ${{ steps.pr-title.outputs.error_message }} - - - if: steps.pr-title.outputs.error_message == null - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + if: steps.pr-title.outputs.error_message == null with: header: pr-title-lint-error delete: true diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index 822618b1..8651ae0f 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -12,7 +12,7 @@ jobs: name: ๐Ÿ—‘๏ธ Delete PR Images runs-on: ubuntu-latest permissions: - packages: write + packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -26,8 +26,7 @@ jobs: name: ๐Ÿงน Cleanup Cache runs-on: ubuntu-latest permissions: - # actions: write permission is required to delete the cache - actions: write + actions: write # is needed to delete workflow run caches steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index 966b17fc..4842d66c 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -12,10 +12,10 @@ jobs: name: ๐Ÿ“Š Add PR Report permissions: contents: read - checks: read - pull-requests: write - repository-projects: read - actions: read + checks: read # is needed by philips-software/pull-request-report-action to fetch check run information + pull-requests: write # is needed by philips-software/pull-request-report-action to post the report as a comment on the PR + repository-projects: read # is needed by philips-software/pull-request-report-action to fetch project information + actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 5183c269..4614d0c3 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -27,13 +27,12 @@ jobs: TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} permissions: - actions: read - attestations: write - checks: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments with: devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile @@ -45,10 +44,9 @@ jobs: name: ๐Ÿ“ Apply Release Template runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -75,10 +73,9 @@ jobs: flavor: [cpp, rust] runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release needs: [build-push-test, apply-release-notes-template] env: CONTAINER_FLAVOR: ${{ matrix.flavor }} @@ -129,10 +126,9 @@ jobs: name: ๐Ÿ“„ Upload Documents runs-on: ubuntu-latest permissions: - # `contents: write` is needed to modify a release. # Please note that this is an overly broad scope, but GitHub does not # currently provide a more fine-grained permission for release modification. - contents: write + contents: write # is needed to modify a release needs: [generate-documents] steps: - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 72479c32..a487d4e0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -9,13 +9,14 @@ on: concurrency: group: ${{ github.ref }}-${{ github.workflow }} -permissions: - contents: read +permissions: {} jobs: create-release: name: ๐Ÿš€ Create Release runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/release-published.yml b/.github/workflows/release-published.yml index 541cfc8d..c277859e 100644 --- a/.github/workflows/release-published.yml +++ b/.github/workflows/release-published.yml @@ -12,7 +12,7 @@ jobs: name: Comment on released PRs runs-on: ubuntu-latest permissions: - pull-requests: write + pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/social-interaction.yml b/.github/workflows/social-interaction.yml deleted file mode 100644 index 992de656..00000000 --- a/.github/workflows/social-interaction.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -name: Social Interaction - -on: - issues: - types: [opened] - pull_request: - types: [opened] - -permissions: {} - -jobs: - greeting: - name: ๐Ÿ‘‹ First Interaction Greeting - runs-on: ubuntu-latest - permissions: - issues: write - pull-requests: write - if: github.actor != 'dependabot[bot]' - steps: - - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 - with: - disable-sudo-and-containers: true - allowed-endpoints: > - api.github.com:443 - - uses: actions/first-interaction@1c4688942c71f71d4f5502a26ea67c331730fa4d # v3.1.0 - continue-on-error: true - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: "Thank you for adding your first issue. We will be looking into it as soon as possible." - pr-message: "Thanks for your first PR. We really appreciate it!" diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 75b36424..e257028a 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -19,8 +19,8 @@ jobs: # set-up correctly. container: ghcr.io/philips-software/amp-devcontainer-${{ matrix.flavor }}:edge permissions: - contents: write - pull-requests: write + contents: write # is needed by peter-evans/create-pull-request to create branches and push commits + pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -53,8 +53,8 @@ jobs: flavor: ["cpp", "rust"] file: ["devcontainer-metadata.json", "devcontainer.json"] permissions: - contents: write - pull-requests: write + contents: write # is needed by peter-evans/create-pull-request to create branches and push commits + pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 1a33ebf2..c20020ff 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -16,7 +16,7 @@ jobs: matrix: flavor: ["cpp", "rust"] permissions: - security-events: write + security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 045f45eb..9eb68acd 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -48,19 +48,22 @@ jobs: run: | set -Eeuo pipefail - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - gh secret set -a codespaces IMAGE_VERSION --body "pr-${{ github.event.pull_request.number }}" - elif [[ "${{ github.event_name }}" == "push" && "${{ startsWith(github.ref, 'refs/tags/') }}" == "true" ]]; then + if [[ "${EVENT_NAME}" == "pull_request" ]]; then + gh secret set -a codespaces IMAGE_VERSION --body "pr-${PR_NUMBER}" + elif [[ "${EVENT_NAME}" == "push" && "${REF_STARTS_WITH_TAG}" == "true" ]]; then gh secret set -a codespaces IMAGE_VERSION --body "${GITHUB_REF#refs/tags/}" else gh secret set -a codespaces IMAGE_VERSION --body "edge" fi - echo CODESPACE_NAME="$(gh codespace create -R "${{ github.repository }}" -b "$HEAD_REF" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" + echo CODESPACE_NAME="$(gh codespace create -R "${GITHUB_REPOSITORY}" -b "${HEAD_REF}" -m basicLinux32gb --devcontainer-path "${DEVCONTAINER_FILE}" --idle-timeout 10m --retention-period 1h)" >> "$GITHUB_ENV" env: + REF_STARTS_WITH_TAG: ${{ startsWith(github.ref, 'refs/tags/') }} DEVCONTAINER_FILE: ${{ inputs.devcontainer-file }} + EVENT_NAME: ${{ github.event_name }} GH_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} HEAD_REF: ${{ github.head_ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: 24.8.0 diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml index df501abd..d85953b2 100644 --- a/.github/workflows/wc-build-push-test.yml +++ b/.github/workflows/wc-build-push-test.yml @@ -91,12 +91,12 @@ jobs: name: ๐Ÿ› ๏ธ uses: ./.github/workflows/wc-build-push.yml permissions: - actions: read - attestations: write - contents: write - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments secrets: DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index 31171bce..7e49ae23 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -65,7 +65,7 @@ jobs: needs: sanitize-image-name permissions: contents: read - packages: write + packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: @@ -142,14 +142,12 @@ jobs: - build-push - sanitize-image-name permissions: - actions: read - attestations: write - # dependency-submission needs contents write permission. - contents: write - # attest-build-provenance needs id-token write permission. - id-token: write - packages: write - pull-requests: write + actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets + attestations: write # is needed by actions/attest-build-provenance to push attestations + contents: write # is needed by anchore/sbom-action for artifact uploads + id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token + packages: write # is needed to push image manifest when using GitHub Container Registry + pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments outputs: digest: ${{ steps.inspect-manifest.outputs.digest }} steps: diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index b3c49c2a..03bc2d3c 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -24,7 +24,7 @@ jobs: runs-on: ${{ fromJson(inputs.runner-labels) }} permissions: contents: read - pull-requests: write + pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: