From 74357a4acf88baf0ea7f6cced757ec2e93ff9617 Mon Sep 17 00:00:00 2001 From: carlewis Date: Tue, 18 Jun 2024 15:30:13 +0100 Subject: [PATCH] Implement OpenSSF Scorecard suggestions (#83) * [CP-Sec] Set permissions to the workflows tokens * [CP-Sec] Workflow actions version pinning --- .github/workflows/codeql.yml | 8 +++++--- .github/workflows/labeler.yml | 4 +++- .github/workflows/new-issues-to-triage-projects.yml | 9 ++++++--- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/stale.yml | 6 ++++-- 5 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 03381af7ab..1340f776c2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,6 +8,8 @@ on: schedule: - cron: '23 5 * * 5' +permissions: {} + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -32,11 +34,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -80,6 +82,6 @@ jobs: cmake --build . - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 23956a02fb..ce6346a590 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,10 +2,12 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: {} + jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@main + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/new-issues-to-triage-projects.yml b/.github/workflows/new-issues-to-triage-projects.yml index a963cb2f89..ad3f32989b 100644 --- a/.github/workflows/new-issues-to-triage-projects.yml +++ b/.github/workflows/new-issues-to-triage-projects.yml @@ -7,27 +7,30 @@ on: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +permissions: + issues: read + jobs: assign_one_project: runs-on: ubuntu-latest name: Assign to New Issues to Triage Project steps: - name: Process bug issues - uses: docker://takanabe/github-actions-automate-projects:v0.0.1 + uses: takanabe/github-actions-automate-projects@5d004c140c65fa8b4ef3b18a38219ce680bce816 # v2.0.0 if: contains(github.event.issue.labels.*.name, 'bug') && contains(github.event.issue.labels.*.name, '? - Needs Triage') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_PROJECT_URL: https://github.com/NVIDIA/cutlass GITHUB_PROJECT_COLUMN_NAME: 'Needs prioritizing' - name: Process feature issues - uses: docker://takanabe/github-actions-automate-projects:v0.0.1 + uses: takanabe/github-actions-automate-projects@5d004c140c65fa8b4ef3b18a38219ce680bce816 # v2.0.0 if: contains(github.event.issue.labels.*.name, 'feature request') && contains(github.event.issue.labels.*.name, '? - Needs Triage') env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_PROJECT_URL: https://github.com/NVIDIA/cutlass GITHUB_PROJECT_COLUMN_NAME: 'Needs prioritizing' - name: Process other issues - uses: docker://takanabe/github-actions-automate-projects:v0.0.1 + uses: takanabe/github-actions-automate-projects@5d004c140c65fa8b4ef3b18a38219ce680bce816 # v2.0.0 if: contains(github.event.issue.labels.*.name, '? - Needs Triage') && (!contains(github.event.issue.labels.*.name, 'bug') && !contains(github.event.issue.labels.*.name, 'feature request')) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e742840395..661a3e71d9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: persist-credentials: false @@ -48,6 +48,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8b65da69aa..bb68777c2c 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,12 +4,14 @@ on: schedule: - cron: "0 * * * *" +permissions: {} + jobs: mark-inactive-30d: runs-on: ubuntu-latest steps: - name: Mark 30 day inactive issues and pull requests - uses: actions/stale@v3 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > @@ -35,7 +37,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Mark 90 day inactive issues and pull requests - uses: actions/stale@v3 + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: >