OSSF Best Practices (#226)

* update action

* udpate pre-commit

* add venv to gitignore

* return action

* update based on public

* keep internal functionality

* remove dependency review

* add dep review for public

* update on-push

* verify scorecard

* lint actions

* update cron

* test non-standard cron

* revert

Author: Tyler Titsworth

.github/action.yml

@@ -69,7 +69,7 @@ runs:
         REGISTRY=${{ inputs.registry }} \
         REPO=${{ inputs.repo }} \
         COMPOSE_PROJECT_NAME=${{ env.random-number }} \
-        ${{ inputs.env_overrides }} docker compose -p ${{ env.random-number }} images --format json | jq '.[] | "\(.Repository):\(.Tag)"' >> $GITHUB_STEP_SUMMARY
+        ${{ inputs.env_overrides }} docker compose -p ${{ env.random-number }} images --format json | jq --arg registry "${{ secrets.registry }}" '.[] | select(.Repository | contains($registry)) | "\(.Repository):\(.Tag)"' | jq -s '.' >> $GITHUB_STEP_SUMMARY
       working-directory: ${{ inputs.group_dir }}
     - name: Un-Tag Containers
       if: ${{ always() }}

.github/dependabot.yml

@@ -19,11 +19,15 @@
 
 version: 2
 updates:
-  - package-ecosystem: "pip" # See documentation for possible values
-    directory: "test-runner/" # Location of package manifests
+  - package-ecosystem: pip
+    directory: /test-runner
     schedule:
-      interval: "weekly"
-  - package-ecosystem: "github-actions" # See documentation for possible values
-    directory: ".github/workflows" # Location of package manifests
+      interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: weekly
+  - package-ecosystem: pip
+    directory: /pytorch/serving
+    schedule:
+      interval: weekly

.github/workflows/bandit.yaml

@@ -57,6 +57,9 @@ jobs:
       matrix: ${{ steps.matrix.outputs.matrix }}
     runs-on: [ k8-runners ]
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Set Matrix
         id: matrix
@@ -83,11 +86,14 @@ jobs:
       matrix: ${{ fromJson(needs.setup-build-matrix.outputs.matrix) }}
       fail-fast: false
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
         if: ${{ !inputs.no-build }}
       - uses: docker/login-action@v3
         with:
-          registry: ${{ vars.REGISTRY }}
+          registry: ${{ secrets.REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
         if: ${{ !inputs.no-build }}
@@ -99,15 +105,18 @@ jobs:
         with:
           group_dir: ${{ inputs.group_dir }}
           env_overrides: ${{ inputs.env_overrides }}
-          registry: ${{ vars.REGISTRY }}
-          repo: ${{ vars.REPO }}
+          registry: ${{ secrets.REGISTRY }}
+          repo: ${{ secrets.REPO }}
           no-push: false
   setup-test:
     needs: [ build-containers ]
     runs-on: [ k8-runners ]
     outputs:
       recipes: ${{ steps.recipes.outputs.RECIPES }}
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Get Recipes
         id: recipes
@@ -122,18 +131,21 @@ jobs:
         experimental: [true]
       fail-fast: false
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - uses: docker/login-action@v3
         with:
-          registry: ${{ vars.REGISTRY }}
+          registry: ${{ secrets.REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
       - name: Test Container Group
         uses: ./test-runner
         with:
-          mlops_repo: ${{ vars.MLOPS_REPO }}
+          mlops_repo: ${{ secrets.MLOPS_REPO }}
           mlops_ref: ${{ github.ref }}
           recipe_dir: ${{ inputs.group_dir }}
-          registry: ${{ vars.REGISTRY }}
+          registry: ${{ secrets.REGISTRY }}
           test_dir: ${{ matrix.recipe }}
           token: ${{ github.token }}

.github/workflows/container-pipeline-tester.yaml

@@ -0,0 +1,40 @@
+# Copyright (c) 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4

.github/workflows/dependency-review.yaml

@@ -27,13 +27,11 @@ concurrency:
 jobs:
   build:
     name: Lint
-    runs-on: [k8-runners]
-    permissions:
-      contents: read
-      packages: read
-      # To report GitHub Actions status checks
-      statuses: write
+    runs-on: k8-runners # ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checkout code
         uses: actions/checkout@v4
         with:

.github/workflows/lint.yaml

@@ -31,6 +31,9 @@ jobs:
       runner_label: ${{ steps.comment-inputs.outputs.runner_label }}
       no-build: ${{ steps.comment-inputs.outputs.no-build || false }}
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Get Inputs
         id: comment-inputs
@@ -89,6 +92,9 @@ jobs:
       pull-requests: write
     runs-on: [ k8-runners ]
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Unlock
         if: ${{ needs.check-review.result != 'skipped' }}
         uses: actions/github-script@v7

.github/workflows/ossf.yaml

@@ -0,0 +1,57 @@
+# Copyright (c) 2024 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '0 6 * * 0'
+  push:
+    branches: [ "main" ]
+  workflow_dispatch:
+permissions: read-all
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: ossf/scorecard-action@v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.ACTION_TOKEN }}
+          publish_results: true
+      - uses: actions/upload-artifact@v3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - uses: github/codeql-action/upload-sarif@v3.24.10
+        with:
+          sarif_file: results.sarif

.github/workflows/review-trigger.yml

@@ -15,23 +15,28 @@
 ---
 name: Test Runner Unit Tests
 on:
-  pull_request:
+  push: null
 permissions: read-all
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 jobs:
   unit-test:
-    runs-on: [ test-runner ]
+    runs-on: [ k8-runners ]
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - uses: docker/login-action@v3
         with:
-          registry: ${{ vars.REGISTRY }}
+          registry: ${{ secrets.REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
       - name: Install requirements
         run: |
+          sudo apt-get update -y
+          sudo apt-get install python3.8-venv -y
           python -m venv venv
           source venv/bin/activate
           venv/bin/python -m pip install pytest hypothesis
@@ -41,4 +46,4 @@ jobs:
         run: venv/bin/python -m pytest tests/utest.py -W ignore::UserWarning
         working-directory: ${{ github.workspace }}/test-runner
         env:
-          REGISTRY: ${{ vars.REGISTRY }}
+          REGISTRY: ${{ secrets.REGISTRY }}