Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Runner Labels and GHA Hardening #419

Merged
merged 1 commit into from
Sep 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions .github/workflows/apptainer-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,14 @@ permissions: read-all

jobs:
group-diff:
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
outputs:
groups: ${{ steps.group-list.outputs.FOLDERS }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
Expand Down Expand Up @@ -59,7 +63,7 @@ jobs:
DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)')
echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT

setup-build:
build:
needs: [group-diff]
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
if: needs.group-diff.outputs.groups != '[""]'
Expand All @@ -69,6 +73,10 @@ jobs:
experimental: [true]
fail-fast: false
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: eWaterCycle/setup-apptainer@4bb22c52d4f63406c49e94c804632975787312b3 # v2.0.0
with:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/container-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ jobs:
setup-build:
outputs:
matrix: ${{ steps.build-matrix.outputs.matrix }}
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:
setup-scan:
needs: [build-containers]
if: ${{ github.event_name == 'pull_request' }}
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.scan-matrix.outputs.matrix }}
steps:
Expand Down Expand Up @@ -165,7 +165,7 @@ jobs:
####################################################################################################
setup-test:
needs: [build-containers]
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.test-matrix.outputs.matrix }}
steps:
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependency-review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.securityscorecards.dev:443
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dockerhub-description.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ on:
permissions: read-all
jobs:
setup-matrix:
runs-on: intel-ubuntu-latest
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/docs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,18 @@ jobs:
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
permissions:
contents: read
id-token: write
# id-token: write
pages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
Expand Down
12 changes: 5 additions & 7 deletions .github/workflows/integration-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,16 @@ concurrency:
cancel-in-progress: true
jobs:
group-diff:
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
outputs:
groups: ${{ steps.group-list.outputs.FOLDERS }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
Expand Down Expand Up @@ -114,13 +116,9 @@ jobs:
recreate: true
status-check:
needs: [group-diff, pipeline-ci, merge-logs]
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
runs-on: ubuntu-latest
if: always()
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- run: exit 1
if: >-
${{
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,15 @@ jobs:
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
permissions:
contents: read
actions: read
statuses: write
# statuses: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
Expand Down
17 changes: 16 additions & 1 deletion .github/workflows/scorecard.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,22 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
auth.docker.io:443
fulcio.sigstore.dev:443
github.com:443
index.docker.io:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false
Expand Down
4 changes: 0 additions & 4 deletions .github/workflows/security-report.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,6 @@ jobs:
report:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
with:
sarifReportDir: ${{ github.workspace }}
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/test-runner-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
coveralls.io:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
with:
parallel-finished: true
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/weekly-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,16 @@ on:
permissions: read-all
jobs:
get-groups:
runs-on: intel-ubuntu-latest
runs-on: ubuntu-latest
outputs:
groups: ${{ steps.group-list.outputs.FOLDERS }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Output Group Directories
id: group-list
Expand Down
Loading