Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[StepSecurity] Apply security best practices #627

Merged
merged 1 commit into from
Jan 3, 2024
Merged

[StepSecurity] Apply security best practices #627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily

- package-ecosystem: docker
directory: /
schedule:
interval: daily
10 changes: 9 additions & 1 deletion .github/workflows/ci-clang-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-clang-scan
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: Configure CMake
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/ci-cmake-options.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-gcc10
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive

Expand Down
12 changes: 10 additions & 2 deletions .github/workflows/ci-cov-linux-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,22 @@ name: coverity-linux-and-python-report

on: [workflow_dispatch, workflow_call]

permissions:
contents: read

jobs:
build:

runs-on: ci-kw-linux
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive

Expand All @@ -29,7 +37,7 @@ jobs:
ci-cov-linux-report.sh PCM.linux.and.python

- name: upload-artifact
uses: actions/[email protected]
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with:
name: coverity-linux-and-python-report-${{ github.sha }}
path: "*-Report.pdf"
10 changes: 9 additions & 1 deletion .github/workflows/ci-cov-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-kw-linux
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: coverity-linux
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/ci-cov-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-kw-linux
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: coverity-python
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/ci-cov-windows-report.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,27 @@ name: coverity-windows

on: [workflow_dispatch, workflow_call]

permissions:
contents: read

jobs:
build:

runs-on: ci-kw-windows
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive

- name: Add MSBuild to PATH
uses: microsoft/[email protected]
uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3

- name: coverity-windows
run: |
Expand All @@ -40,7 +48,7 @@ jobs:
c:\pcm\ci-cov-windows-report.ps1 PCM.windows-all

- name: upload-artifact
uses: actions/[email protected]
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with:
name: coverity-windows-all-report-${{ github.sha }}
path: "*-Report.pdf"
12 changes: 10 additions & 2 deletions .github/workflows/ci-cov-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,19 +6,27 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-kw-windows
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive

- name: Add MSBuild to PATH
uses: microsoft/[email protected]
uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3

- name: coverity-windows
run: |
Expand Down
17 changes: 15 additions & 2 deletions .github/workflows/ci-cpack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,21 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
job-build1:
runs-on: ci-gcc9
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: Configure CMake
Expand All @@ -35,7 +43,12 @@ jobs:
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: Configure CMake
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/ci-cppcheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-cppcheck
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: cppcheck_script
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/ci-gcc10.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,22 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-gcc10
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
submodules: recursive
- name: Configure CMake
Expand Down
12 changes: 10 additions & 2 deletions .github/workflows/ci-gcc48.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,24 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-gcc48
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: install simdjson
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: simdjson/simdjson
path: src/simdjson
Expand Down
14 changes: 11 additions & 3 deletions .github/workflows/ci-gcc5.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,24 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-gcc5
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: install simdjson
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: simdjson/simdjson
path: src/simdjson
Expand All @@ -35,7 +43,7 @@ jobs:
cd ${{ github.workspace }}/build
make install -j$(nproc)
- name: upload-artifact
uses: actions/[email protected]
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with:
name: PCMforLinuxGCC5
path: build/bin/*
12 changes: 10 additions & 2 deletions .github/workflows/ci-gcc7.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,24 @@ on:
pull_request:
branches: [ '**' ]

permissions:
contents: read

jobs:
build:

runs-on: ci-gcc7
if: ${{ github.repository != 'intel/pcm' }}

steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: install simdjson
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
repository: simdjson/simdjson
path: src/simdjson
Expand Down
Loading