From 8558977c10b12f67b5a78417cf86caec0500a50c Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 3 Jan 2024 11:52:49 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 11 ++++++++ .github/workflows/ci-clang-scan.yml | 10 ++++++- .github/workflows/ci-cmake-options.yml | 10 ++++++- .github/workflows/ci-cov-linux-report.yml | 12 ++++++-- .github/workflows/ci-cov-linux.yml | 10 ++++++- .github/workflows/ci-cov-python.yml | 10 ++++++- .github/workflows/ci-cov-windows-report.yml | 14 ++++++++-- .github/workflows/ci-cov-windows.yml | 12 ++++++-- .github/workflows/ci-cpack.yml | 17 +++++++++-- .github/workflows/ci-cppcheck.yml | 10 ++++++- .github/workflows/ci-gcc10.yml | 10 ++++++- .github/workflows/ci-gcc48.yml | 12 ++++++-- .github/workflows/ci-gcc5.yml | 14 ++++++++-- .github/workflows/ci-gcc7.yml | 12 ++++++-- .github/workflows/ci-gcc9.yml | 10 ++++++- .github/workflows/ci-test.yml | 28 ++++++++++++------- .github/workflows/ci-windows-ip.yml | 8 ++++++ .github/workflows/ci-windows.yml | 14 ++++++++-- .github/workflows/clang_scan.yml | 10 ++++++- .github/workflows/cppcheck.yml | 10 ++++++- .github/workflows/docker.yml | 19 ++++++++----- .github/workflows/freebsd_build.yml | 9 ++++-- .github/workflows/freebsd_scan_build.yml | 9 ++++-- .github/workflows/linux_make.yml | 31 ++++++++++++++++++--- .github/workflows/macos-scan-build.yml | 10 ++++++- .github/workflows/macosx_build.yml | 10 ++++++- .github/workflows/scorecard.yml | 5 ++++ .github/workflows/stats-cron-job.yml | 8 ++++++ Dockerfile | 4 +-- 29 files changed, 292 insertions(+), 57 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..365eeece --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: / + schedule: + interval: daily diff --git a/.github/workflows/ci-clang-scan.yml b/.github/workflows/ci-clang-scan.yml index ef4ef9fe..f0308fda 100644 --- a/.github/workflows/ci-clang-scan.yml +++ b/.github/workflows/ci-clang-scan.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake diff --git a/.github/workflows/ci-cmake-options.yml b/.github/workflows/ci-cmake-options.yml index 5bcaae70..26967ec5 100644 --- a/.github/workflows/ci-cmake-options.yml +++ b/.github/workflows/ci-cmake-options.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive diff --git a/.github/workflows/ci-cov-linux-report.yml b/.github/workflows/ci-cov-linux-report.yml index c71dd9d7..99d221de 100644 --- a/.github/workflows/ci-cov-linux-report.yml +++ b/.github/workflows/ci-cov-linux-report.yml @@ -2,6 +2,9 @@ name: coverity-linux-and-python-report on: [workflow_dispatch, workflow_call] +permissions: + contents: read + jobs: build: @@ -9,7 +12,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive @@ -29,7 +37,7 @@ jobs: ci-cov-linux-report.sh PCM.linux.and.python - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: coverity-linux-and-python-report-${{ github.sha }} path: "*-Report.pdf" \ No newline at end of file diff --git a/.github/workflows/ci-cov-linux.yml b/.github/workflows/ci-cov-linux.yml index 0313fd02..c8c5c271 100644 --- a/.github/workflows/ci-cov-linux.yml +++ b/.github/workflows/ci-cov-linux.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: coverity-linux diff --git a/.github/workflows/ci-cov-python.yml b/.github/workflows/ci-cov-python.yml index ccf50d27..e2e3d16a 100644 --- a/.github/workflows/ci-cov-python.yml +++ b/.github/workflows/ci-cov-python.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: coverity-python diff --git a/.github/workflows/ci-cov-windows-report.yml b/.github/workflows/ci-cov-windows-report.yml index 0911964c..183b5084 100644 --- a/.github/workflows/ci-cov-windows-report.yml +++ b/.github/workflows/ci-cov-windows-report.yml @@ -2,6 +2,9 @@ name: coverity-windows on: [workflow_dispatch, workflow_call] +permissions: + contents: read + jobs: build: @@ -9,12 +12,17 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1.1.3 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3 - name: coverity-windows run: | @@ -40,7 +48,7 @@ jobs: c:\pcm\ci-cov-windows-report.ps1 PCM.windows-all - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: coverity-windows-all-report-${{ github.sha }} path: "*-Report.pdf" diff --git a/.github/workflows/ci-cov-windows.yml b/.github/workflows/ci-cov-windows.yml index 9ac66fce..288cbf9f 100644 --- a/.github/workflows/ci-cov-windows.yml +++ b/.github/workflows/ci-cov-windows.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,12 +16,17 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1.1.3 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3 - name: coverity-windows run: | diff --git a/.github/workflows/ci-cpack.yml b/.github/workflows/ci-cpack.yml index c73d066b..6cad4653 100644 --- a/.github/workflows/ci-cpack.yml +++ b/.github/workflows/ci-cpack.yml @@ -6,13 +6,21 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: job-build1: runs-on: ci-gcc9 if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake @@ -35,7 +43,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake diff --git a/.github/workflows/ci-cppcheck.yml b/.github/workflows/ci-cppcheck.yml index ee4f62f8..f5176a64 100644 --- a/.github/workflows/ci-cppcheck.yml +++ b/.github/workflows/ci-cppcheck.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: cppcheck_script diff --git a/.github/workflows/ci-gcc10.yml b/.github/workflows/ci-gcc10.yml index 4ac9ebfc..2ca13276 100644 --- a/.github/workflows/ci-gcc10.yml +++ b/.github/workflows/ci-gcc10.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake diff --git a/.github/workflows/ci-gcc48.yml b/.github/workflows/ci-gcc48.yml index 5e32e997..8f117fff 100644 --- a/.github/workflows/ci-gcc48.yml +++ b/.github/workflows/ci-gcc48.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,9 +16,14 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: install simdjson - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: simdjson/simdjson path: src/simdjson diff --git a/.github/workflows/ci-gcc5.yml b/.github/workflows/ci-gcc5.yml index dab43d0e..b9682c44 100644 --- a/.github/workflows/ci-gcc5.yml +++ b/.github/workflows/ci-gcc5.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,9 +16,14 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: install simdjson - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: simdjson/simdjson path: src/simdjson @@ -35,7 +43,7 @@ jobs: cd ${{ github.workspace }}/build make install -j$(nproc) - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: PCMforLinuxGCC5 path: build/bin/* diff --git a/.github/workflows/ci-gcc7.yml b/.github/workflows/ci-gcc7.yml index 1af1b7a3..b58b097a 100644 --- a/.github/workflows/ci-gcc7.yml +++ b/.github/workflows/ci-gcc7.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,9 +16,14 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: install simdjson - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: simdjson/simdjson path: src/simdjson diff --git a/.github/workflows/ci-gcc9.yml b/.github/workflows/ci-gcc9.yml index caa3ee90..4ca0fc41 100644 --- a/.github/workflows/ci-gcc9.yml +++ b/.github/workflows/ci-gcc9.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index 0f1aeb38..bc0fe729 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ '**' ] +permissions: + contents: read + jobs: build: @@ -13,7 +16,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake @@ -32,55 +40,55 @@ jobs: sh ${{ github.workspace }}/tests/test.sh 2>&1 | tee test-log.txt - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-${{ github.sha }} path: test-log.txt - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-tr-wo_ext-${{ github.sha }} path: build/bin/raw_tr_wo_ext.csv - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-tr-wi_ext-${{ github.sha }} path: build/bin/raw_tr_wi_ext.csv - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: pcm-csv-${{ github.sha }} path: build/bin/pcm.csv - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: pcm-memory-csv-${{ github.sha }} path: build/bin/pcm-memory.csv - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-tr-wi_ext-single_header-${{ github.sha }} path: build/bin/raw_tr_wi_ext_single_header.csv - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-edp-${{ github.sha }} path: build/bin/raw_edp.txt - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-json-${{ github.sha }} path: build/bin/raw_json.json - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: test-log-raw-edp-offlined-cores-${{ github.sha }} path: build/bin/raw_edp_offlined_cores.txt diff --git a/.github/workflows/ci-windows-ip.yml b/.github/workflows/ci-windows-ip.yml index a6ebc703..5a68ae23 100644 --- a/.github/workflows/ci-windows-ip.yml +++ b/.github/workflows/ci-windows-ip.yml @@ -2,6 +2,9 @@ name: windows-ip on: [workflow_dispatch, workflow_call] +permissions: + contents: read + jobs: build: @@ -10,6 +13,11 @@ jobs: steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: windows-ip run: | ipconfig diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index 88c6efcd..093d1df9 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -9,6 +9,9 @@ on: env: BUILD_TYPE: Release +permissions: + contents: read + jobs: build: @@ -16,7 +19,12 @@ jobs: if: ${{ github.repository != 'intel/pcm' }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Configure CMake @@ -27,13 +35,13 @@ jobs: run: | cmake --build ${{github.workspace}}\build --config ${{env.BUILD_TYPE}} --parallel - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1.1.3 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3 - name: Build MSR driver run: | chdir ${{github.workspace}}\src\WinMSRDriver msbuild MSR.vcxproj /p:Configuration=Release,Platform=x64 /t:Clean,Build /m - name: upload-artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: PCMforWindows path: build/bin/**/* diff --git a/.github/workflows/clang_scan.yml b/.github/workflows/clang_scan.yml index 86e9eeaa..e836b9f1 100644 --- a/.github/workflows/clang_scan.yml +++ b/.github/workflows/clang_scan.yml @@ -14,6 +14,9 @@ on: workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: @@ -24,7 +27,12 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml index 0949461e..1476c0a6 100644 --- a/.github/workflows/cppcheck.yml +++ b/.github/workflows/cppcheck.yml @@ -14,6 +14,9 @@ on: workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + jobs: # This workflow contains a single job called "build" build: @@ -23,7 +26,12 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f8788ea3..59c0b51f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -9,25 +9,30 @@ jobs: build: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Get current time - uses: 1466587594/get-current-time@v2 + uses: 1466587594/get-current-time@5979d2f4455ed5df566aa6df67cedd77d17afaa9 # v2.1.1 id: current-time with: format: YYYY-MM-DD--HH - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # v1.7.0 - name: Cache Docker layers - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -35,7 +40,7 @@ jobs: ${{ runner.os }}-buildx- - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -48,7 +53,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v2 + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0 with: platforms: linux/amd64 push: true diff --git a/.github/workflows/freebsd_build.yml b/.github/workflows/freebsd_build.yml index 10e9d2fb..ddcb3210 100644 --- a/.github/workflows/freebsd_build.yml +++ b/.github/workflows/freebsd_build.yml @@ -12,12 +12,17 @@ jobs: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: build in FreeBSD VM id: build - uses: cross-platform-actions/action@v0.21.0 + uses: cross-platform-actions/action@0e13474a2ba7ba382e217ad80230150266611323 # v0.21.0 with: memory: 2048 shell: sh diff --git a/.github/workflows/freebsd_scan_build.yml b/.github/workflows/freebsd_scan_build.yml index adcd731b..1a7dec8d 100644 --- a/.github/workflows/freebsd_scan_build.yml +++ b/.github/workflows/freebsd_scan_build.yml @@ -12,12 +12,17 @@ jobs: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: clang scan build in FreeBSD VM id: clang-scan-build - uses: cross-platform-actions/action@v0.21.0 + uses: cross-platform-actions/action@0e13474a2ba7ba382e217ad80230150266611323 # v0.21.0 with: memory: 2048 shell: sh diff --git a/.github/workflows/linux_make.yml b/.github/workflows/linux_make.yml index a515b9f0..d5d6f543 100644 --- a/.github/workflows/linux_make.yml +++ b/.github/workflows/linux_make.yml @@ -6,11 +6,19 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: cmake run: | rm -rf ${{ github.workspace }}/build @@ -22,7 +30,12 @@ jobs: build-systemd-unit: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: cmake run: | rm -rf ${{ github.workspace }}/build @@ -35,7 +48,12 @@ jobs: runs-on: ubuntu-20.04 container: ubuntu:22.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: install dependencies run: | apt update @@ -51,7 +69,12 @@ jobs: build-source-simdjson: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: cmake diff --git a/.github/workflows/macos-scan-build.yml b/.github/workflows/macos-scan-build.yml index ac2d1ad5..d3c2c0a3 100644 --- a/.github/workflows/macos-scan-build.yml +++ b/.github/workflows/macos-scan-build.yml @@ -6,13 +6,21 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: cmake diff --git a/.github/workflows/macosx_build.yml b/.github/workflows/macosx_build.yml index 112d78e4..836e235e 100644 --- a/.github/workflows/macosx_build.yml +++ b/.github/workflows/macosx_build.yml @@ -6,13 +6,21 @@ on: pull_request: branches: [ master ] +permissions: + contents: read + jobs: build: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive - name: cmake diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index b5e741fa..3b409721 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -32,6 +32,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.github/workflows/stats-cron-job.yml b/.github/workflows/stats-cron-job.yml index 52ebd053..99b06fda 100644 --- a/.github/workflows/stats-cron-job.yml +++ b/.github/workflows/stats-cron-job.yml @@ -4,10 +4,18 @@ on: schedule: - cron: '30 23 * * 2' +permissions: + contents: read + jobs: stats: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: stats run: | curl https://hetthbszh0.execute-api.us-east-2.amazonaws.com/default/pcm-clones diff --git a/Dockerfile b/Dockerfile index 25c7b38c..23768517 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -FROM fedora:37 as builder +FROM fedora:37@sha256:de153a3928b8901ad05d8d3314a1f7680570979bd2c04c4562b817daa8358a33 as builder RUN dnf -y install gcc-c++ git findutils make cmake COPY . /tmp/pcm RUN cd /tmp/pcm && mkdir build && cd build && cmake .. && make -FROM fedora:37 +FROM fedora:37@sha256:de153a3928b8901ad05d8d3314a1f7680570979bd2c04c4562b817daa8358a33 COPY --from=builder /tmp/pcm/build/bin/* /usr/local/bin/ ENV PCM_NO_PERF=1