Fix

dev-hato · Feb 4, 2024 · ad994b9 · ad994b9
1 parent 8dd1817
commit ad994b9
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 20 deletions.
diff --git a/.github/workflows/add-to-task-list.yml b/.github/workflows/add-to-task-list.yml
@@ -7,6 +7,7 @@ on:
   issues:
     types:
       - opened
+permissions: read-all
 jobs:
   add-to-task-list:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -18,6 +18,10 @@ on:
   merge_group:
   schedule:
     - cron: '38 8 * * 4'
+permissions:
+  actions: read
+  contents: read
+  security-events: write
 jobs:
   analyze:
     name: Analyze
@@ -28,10 +32,6 @@ jobs:
     # Consider using larger runners for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml
@@ -2,6 +2,7 @@ name: 'Dependency Review'
 on:
   pull_request:
   merge_group:
+permissions: read-all
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/fail-notify.yml b/.github/workflows/fail-notify.yml
@@ -17,6 +17,7 @@ on:
       - update-gitleaks
     types:
       - completed
+permissions: read-all
 jobs:
   fail-notify:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/fix-fail-notify.yml b/.github/workflows/fix-fail-notify.yml
@@ -3,6 +3,7 @@ name: fix-fail-notify
 on:
   pull_request:
   merge_group:
+permissions: read-all
 jobs:
   fix-fail-notify:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/gcr-cleaner.yml b/.github/workflows/gcr-cleaner.yml
@@ -7,12 +7,12 @@ on:
 env:
   GCP_WORKLOAD_IDENTITY_PROVIDER: 'projects/765091727073/locations/global/workloadIdentityPools/hato-atama-workload-identity/providers/github'
   GCP_SERVICE_ACCOUNT: '[email protected]'
+permissions:
+  id-token: write
+  contents: read
 jobs:
   gcr-cleaner:
     runs-on: 'ubuntu-latest'
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - uses: actions/[email protected]
       - id: 'auth'

diff --git a/.github/workflows/github-actions-cache-cleaner.yml b/.github/workflows/github-actions-cache-cleaner.yml
@@ -7,6 +7,7 @@ on:
   schedule:
     - cron: '0 21 * * *' # 06:00 JST
   workflow_dispatch:
+permissions: read-all
 jobs:
   github-actions-cache-cleaner:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/remove_app_engine_versions.yml b/.github/workflows/remove_app_engine_versions.yml
@@ -4,12 +4,12 @@ on:
   pull_request:
     types:
       - closed
+permissions:
+  id-token: write
+  contents: read
 jobs:
   remove-app-engine-versions:
     runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
     if: github.repository == github.event.pull_request.head.repo.full_name && github.repository == 'dev-hato/hato-atama'
     steps:
       - uses: actions/[email protected]

diff --git a/.github/workflows/resource-update.yml b/.github/workflows/resource-update.yml
@@ -2,11 +2,7 @@
 name: resource-update
 on:
   workflow_dispatch:
-    inputs:
-      base-branch-name:
-        description: "base branch name"
-        required: false
-        default: "master"
+permissions: read-all
 jobs:
   update-frontend:
     runs-on: ubuntu-latest
@@ -31,7 +27,7 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-frontend
+          branch-name-prefix: update-frontend
           pr-title-prefix: Update frontend
   update-test-e2e:
     runs-on: ubuntu-latest
@@ -56,7 +52,7 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-test-e2e
+          branch-name-prefix: update-test-e2e
           pr-title-prefix: Update test/e2e
   update-go:
     runs-on: ubuntu-latest
@@ -83,5 +79,5 @@ jobs:
       - uses: dev-hato/[email protected]
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-go
+          branch-name-prefix: update-go
           pr-title-prefix: Update go
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -5,6 +5,7 @@ on:
     branches: [master]
   merge_group:
   workflow_dispatch:
+permissions: read-all
 jobs:
   super-linter:
     runs-on: ubuntu-latest

diff --git a/elm/Dockerfile b/elm/Dockerfile
@@ -1,5 +1,6 @@
 # https://dev.to/csaltos/elm-for-linux-arm64-32bc
 # GitHub Actionsでビルドするとうまく行かないため、手元でビルドする前提
+#checkov:skip=CKV_DOCKER_2
 FROM debian:bullseye-slim
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -42,13 +43,18 @@ RUN apt-get update \
        && apt-get clean \
        && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /
+RUN mkdir /app  \
+    && useradd -m appuser \
+    && chown appuser:appuser /app
+
+WORKDIR /app
+USER appuser
 
 COPY frontend/elm.json ./
 RUN elm_version="$(yq -oy '."elm-version"' elm.json)" \
     && git clone -b "${elm_version}" https://github.com/elm/compiler.git
 
-WORKDIR /compiler
+WORKDIR /app/compiler
 
 RUN rm worker/elm.cabal \
     && cabal new-update \
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,7 @@ on: @@
       issues:
         types:
           - opened
+    permissions: read-all
     jobs:
       add-to-task-list:
         runs-on: ubuntu-latest
@@ Expand Down @@