Skip to content

Commit

Permalink
[StepSecurity] ci: Harden GitHub Actions (#145)
Browse files Browse the repository at this point in the history 
Signed-off-by: StepSecurity Bot <[email protected]>
  • Loading branch information
@step-security-bot
step-security-bot authored Dec 4, 2024
1 parent f3ef6d1 commit 4aa736b
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 26 deletions.
11 changes: 7 additions & 4 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ on:
schedule:
- cron: '21 6 * * 3'

permissions:
contents: read

jobs:
analyze:
name: Analyze (${{ matrix.language }})
Expand Down Expand Up @@ -61,11 +64,11 @@ jobs:
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand All @@ -90,7 +93,7 @@ jobs:
# We currently (as of December 4th, 2024) need to build manually, because the Ubunutu images
# don't have .NET 9 installed on them.
name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand All @@ -106,6 +109,6 @@ jobs:
run: dotnet test OwaspHeaders.Core.sln --verbosity minimal

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
with:
category: "/language:${{matrix.language}}"
28 changes: 17 additions & 11 deletions .github/workflows/dotnet.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ on:
- 'example/**'
- '.github/workflows/**'

permissions:
contents: read

jobs:

check-code-formatting:
Expand All @@ -18,12 +21,12 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1

- name: Setup .NET
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand All @@ -41,12 +44,12 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand All @@ -59,35 +62,38 @@ jobs:
test:
# This job is adapted from https://josh-ops.com/posts/github-code-coverage/
# It adds a code coverage report to all PR builds
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: write # for marocchino/sticky-pull-request-comment to create or update PR comment
needs: [build]
runs-on: ubuntu-latest
name: Run all tests and generate PR-level code coverage report

steps:

- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

- name: Run all tests
run: dotnet test OwaspHeaders.Core.sln --verbosity minimal --collect:"XPlat Code Coverage" --logger trx --results-directory coverage

- name: Code Coverage Summary Report
uses: irongut/[email protected]
uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0
with:
filename: 'coverage/*/coverage.cobertura.xml'
badge: true
format: 'markdown'
output: 'both'

- name: Add Coverage PR Comment
uses: marocchino/[email protected]
uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2.9.0
if: github.event_name == 'pull_request'
with:
recreate: true
Expand All @@ -103,19 +109,19 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

- name: Build NuGet Package
run: dotnet pack src/OwaspHeaders.Core.csproj --configuration Release

- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: ${{ success() }}
with:
name: OwaspHeaders.Core
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/pages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,25 +36,25 @@ jobs:
working-directory: docs
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
with:
ruby-version: '3.3' # Not needed with a .ruby-version file
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
cache-version: 0 # Increment this number if you need to re-download cached gems
working-directory: '${{ github.workspace }}/docs' # the directory containing the docs files to render
- name: Setup Pages
id: pages
uses: actions/configure-pages@v5
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: Build with Jekyll
# Outputs to the './_site' directory by default
run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
env:
JEKYLL_ENV: production
- name: Upload artifact
# Automatically uploads an artifact from the './_site' directory by default
uses: actions/upload-pages-artifact@v3
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: "docs/_site/"

Expand All @@ -68,4 +68,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
15 changes: 9 additions & 6 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
- '.github/workflows/**'
- 'README-NuGet.md'

permissions:
contents: read

jobs:

build:
Expand All @@ -20,12 +23,12 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand All @@ -42,12 +45,12 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand All @@ -62,12 +65,12 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Setup .NET SDK
uses: actions/setup-dotnet@v4
uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
with:
dotnet-version: '9.0.x'

Expand Down

0 comments on commit 4aa736b

Please sign in to comment.