diff --git a/.github/workflows/add-to-task-list.yml b/.github/workflows/add-to-task-list.yml index 1b3afc16b..9dcdc05e0 100644 --- a/.github/workflows/add-to-task-list.yml +++ b/.github/workflows/add-to-task-list.yml @@ -7,6 +7,7 @@ on: issues: types: - opened +permissions: read-all jobs: add-to-task-list: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ff7de0e9b..b4bca3792 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,6 +18,10 @@ on: merge_group: schedule: - cron: '38 8 * * 4' +permissions: + actions: read + contents: read + security-events: write jobs: analyze: name: Analyze @@ -28,10 +32,6 @@ jobs: # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false matrix: diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml index 0e8f977d0..71b0403c4 100644 --- a/.github/workflows/dependency_review.yml +++ b/.github/workflows/dependency_review.yml @@ -2,6 +2,7 @@ name: 'Dependency Review' on: pull_request: merge_group: +permissions: read-all jobs: dependency-review: runs-on: ubuntu-latest diff --git a/.github/workflows/fail-notify.yml b/.github/workflows/fail-notify.yml index 3cbbf45b4..8afa38a30 100644 --- a/.github/workflows/fail-notify.yml +++ b/.github/workflows/fail-notify.yml @@ -17,6 +17,7 @@ on: - update-gitleaks types: - completed +permissions: read-all jobs: fail-notify: runs-on: ubuntu-latest diff --git a/.github/workflows/fix-fail-notify.yml b/.github/workflows/fix-fail-notify.yml index cb37da49c..5afe7f235 100644 --- a/.github/workflows/fix-fail-notify.yml +++ b/.github/workflows/fix-fail-notify.yml @@ -3,6 +3,7 @@ name: fix-fail-notify on: pull_request: merge_group: +permissions: read-all jobs: fix-fail-notify: runs-on: ubuntu-latest diff --git a/.github/workflows/gcr-cleaner.yml b/.github/workflows/gcr-cleaner.yml index 68ca8c7a6..ea42ca2aa 100644 --- a/.github/workflows/gcr-cleaner.yml +++ b/.github/workflows/gcr-cleaner.yml @@ -7,12 +7,12 @@ on: env: GCP_WORKLOAD_IDENTITY_PROVIDER: 'projects/765091727073/locations/global/workloadIdentityPools/hato-atama-workload-identity/providers/github' GCP_SERVICE_ACCOUNT: 'gcr-cleaner@hato-atama.iam.gserviceaccount.com' +permissions: + id-token: write + contents: read jobs: gcr-cleaner: runs-on: 'ubuntu-latest' - permissions: - id-token: write - contents: read steps: - uses: actions/checkout@v4.1.1 - id: 'auth' diff --git a/.github/workflows/github-actions-cache-cleaner.yml b/.github/workflows/github-actions-cache-cleaner.yml index a28456f4a..6ca2b19e1 100644 --- a/.github/workflows/github-actions-cache-cleaner.yml +++ b/.github/workflows/github-actions-cache-cleaner.yml @@ -7,6 +7,7 @@ on: schedule: - cron: '0 21 * * *' # 06:00 JST workflow_dispatch: +permissions: read-all jobs: github-actions-cache-cleaner: runs-on: ubuntu-latest diff --git a/.github/workflows/remove_app_engine_versions.yml b/.github/workflows/remove_app_engine_versions.yml index b6c9f6b8f..bd934299c 100644 --- a/.github/workflows/remove_app_engine_versions.yml +++ b/.github/workflows/remove_app_engine_versions.yml @@ -4,12 +4,12 @@ on: pull_request: types: - closed +permissions: + id-token: write + contents: read jobs: remove-app-engine-versions: runs-on: ubuntu-latest - permissions: - id-token: write - contents: read if: github.repository == github.event.pull_request.head.repo.full_name && github.repository == 'dev-hato/hato-atama' steps: - uses: actions/checkout@v4.1.1 diff --git a/.github/workflows/resource-update.yml b/.github/workflows/resource-update.yml index 9c6767082..baaf7c391 100644 --- a/.github/workflows/resource-update.yml +++ b/.github/workflows/resource-update.yml @@ -2,11 +2,7 @@ name: resource-update on: workflow_dispatch: - inputs: - base-branch-name: - description: "base branch name" - required: false - default: "master" +permissions: read-all jobs: update-frontend: runs-on: ubuntu-latest @@ -31,7 +27,7 @@ jobs: - uses: dev-hato/actions-diff-pr-management@v1.1.9 with: github-token: ${{secrets.GITHUB_TOKEN}} - branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-frontend + branch-name-prefix: update-frontend pr-title-prefix: Update frontend update-test-e2e: runs-on: ubuntu-latest @@ -56,7 +52,7 @@ jobs: - uses: dev-hato/actions-diff-pr-management@v1.1.9 with: github-token: ${{secrets.GITHUB_TOKEN}} - branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-test-e2e + branch-name-prefix: update-test-e2e pr-title-prefix: Update test/e2e update-go: runs-on: ubuntu-latest @@ -83,5 +79,5 @@ jobs: - uses: dev-hato/actions-diff-pr-management@v1.1.9 with: github-token: ${{secrets.GITHUB_TOKEN}} - branch-name-prefix: ${{ github.event.inputs.base-branch-name }}-update-go + branch-name-prefix: update-go pr-title-prefix: Update go diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index 141b8cd37..37644cca1 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -5,6 +5,7 @@ on: branches: [master] merge_group: workflow_dispatch: +permissions: read-all jobs: super-linter: runs-on: ubuntu-latest diff --git a/elm/Dockerfile b/elm/Dockerfile index 74cb7ea9a..83bdc532f 100644 --- a/elm/Dockerfile +++ b/elm/Dockerfile @@ -1,5 +1,6 @@ # https://dev.to/csaltos/elm-for-linux-arm64-32bc # GitHub Actionsでビルドするとうまく行かないため、手元でビルドする前提 +#checkov:skip=CKV_DOCKER_2 FROM debian:bullseye-slim SHELL ["/bin/bash", "-o", "pipefail", "-c"] @@ -42,13 +43,18 @@ RUN apt-get update \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -WORKDIR / +RUN mkdir /app \ + && useradd -m appuser \ + && chown appuser:appuser /app + +WORKDIR /app +USER appuser COPY frontend/elm.json ./ RUN elm_version="$(yq -oy '."elm-version"' elm.json)" \ && git clone -b "${elm_version}" https://github.com/elm/compiler.git -WORKDIR /compiler +WORKDIR /app/compiler RUN rm worker/elm.cabal \ && cabal new-update \