ci(step-security): apply security best practices (#165)

Signed-off-by: StepSecurity Bot <[email protected]>

.github/dependabot.yml

@@ -16,4 +16,9 @@ updates:
     directory: /
     schedule:
       interval: daily
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: docker
+    directory: /integration-test
+    schedule:
+      interval: daily

.github/workflows/ci.yml

@@ -11,6 +11,11 @@ jobs:
     name: runner / formatting
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - name: Format
@@ -22,10 +27,15 @@ jobs:
     name: runner / golangci-lint
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
+        uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
         with:
           fail_on_error: true
           golangci_lint_flags: "--config=.github/.golangci.yml ./..."
@@ -34,8 +44,13 @@ jobs:
     name: runner / yamllint
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-      - uses: reviewdog/action-yamllint@v1
+      - uses: reviewdog/action-yamllint@8d79c3d034667db2792e328936811ed44953d691 # v1.14.0
         with:
           fail_on_error: true
           reporter: github-pr-review
@@ -45,21 +60,31 @@ jobs:
     name: runner / dotenv-linter
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-      - uses: dotenv-linter/action-dotenv-linter@v2
+      - uses: dotenv-linter/action-dotenv-linter@d92c8e455691d7a4d4e1d830081b0a39e4c34b88 # v2.21.0
         with:
           reporter: github-pr-review
 
   check-dependencies:
     name: runner / check-dependencies
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
       - name: WriteGoList
         run: go list -json -m all > go.list
       - name: Nancy
-        uses: sonatype-nexus-community/nancy-github-action@main
+        uses: sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369 # main
         continue-on-error: true
       - name: "Dependency Review"
         uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
@@ -72,6 +97,11 @@ jobs:
         go-version: [1.21.x, 1.22.x]
         os: [windows-2019, windows-2022, ubuntu-22.04, ubuntu-20.04]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:

.github/workflows/release.yml

@@ -11,6 +11,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -26,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Check out Sample Web UI
-        uses: actions/checkout@master
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
         with:
           repository: open-amt-cloud-toolkit/sample-web-ui
           ref: enterprise #TODO: pull latest tagged version

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.16.3
+  hooks:
+  - id: gitleaks
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.52.2
+  hooks:
+  - id: golangci-lint
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.4.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace

Dockerfile

@@ -1,11 +1,11 @@
 # Step 1: Modules caching
-FROM golang:1.22-alpine3.19 as modules
+FROM golang:1.22-alpine3.19@sha256:f1fe698725f6ed14eb944dc587591f134632ed47fc0732ec27c7642adbe90618 as modules
 COPY go.mod go.sum /modules/
 WORKDIR /modules
 RUN go mod download
 
 # Step 2: Builder
-FROM golang:1.22-alpine3.19 as builder
+FROM golang:1.22-alpine3.19@sha256:f1fe698725f6ed14eb944dc587591f134632ed47fc0732ec27c7642adbe90618 as builder
 COPY --from=modules /go/pkg /go/pkg
 COPY . /app
 WORKDIR /app

integration-test/Dockerfile

@@ -1,11 +1,11 @@
 # Step 1: Modules caching
-FROM golang:1.22-alpine3.19 as modules
+FROM golang:1.22-alpine3.19@sha256:f1fe698725f6ed14eb944dc587591f134632ed47fc0732ec27c7642adbe90618 as modules
 COPY go.mod go.sum /modules/
 WORKDIR /modules
 RUN go mod download
 
 # Step 2: Tests
-FROM golang:1.22-alpine3.19
+FROM golang:1.22-alpine3.19@sha256:f1fe698725f6ed14eb944dc587591f134632ed47fc0732ec27c7642adbe90618
 COPY --from=modules /go/pkg /go/pkg
 COPY . /app
 WORKDIR /app