ci: [StepSecurity] Apply security best practices (#870)

Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: Anish Ramasekar <[email protected]>
Azure · Apr 27, 2023 · 384ce52 · 384ce52
1 parent 7460246
commit 384ce52
Show file tree

Hide file tree

Showing 13 changed files with 336 additions and 24 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -34,3 +34,144 @@ updates:
         update-types:
         - "version-update:semver-major"
         - "version-update:semver-minor"
+
+
+  - package-ecosystem: docker
+    directory: /examples/azure-identity/dotnet
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: nuget
+    directory: /examples/azure-identity/dotnet
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/azure-identity/go
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: gomod
+    directory: /examples/azure-identity/go
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/azure-identity/java
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/azure-identity/node
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: npm
+    directory: /examples/azure-identity/node
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/azure-identity/python
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: pip
+    directory: /examples/azure-identity/python
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/msal-go
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: gomod
+    directory: /examples/msal-go
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/msal-java
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/msal-net/akvdotnet
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: nuget
+    directory: /examples/msal-net/akvdotnet
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/msal-node
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: npm
+    directory: /examples/msal-node
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: docker
+    directory: /examples/msal-python
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: pip
+    directory: /examples/msal-python
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: maven
+    directory: /examples/azure-identity/java
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
+
+  - package-ecosystem: maven
+    directory: /examples/msal-java
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: "chore"
diff --git a/.github/workflows/azwi-build.yaml b/.github/workflows/azwi-build.yaml
@@ -12,6 +12,9 @@ on:
       - docs/**
       - README.md
 
+permissions:
+  contents: read
+
 jobs:
   azwi_build:
     strategy:
@@ -21,11 +24,16 @@ jobs:
         env: [ubuntu-20.04, macos-11]
     runs-on: ${{ matrix.env }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "1.20"
       - name: Build azwi

diff --git a/.github/workflows/azwi-e2e.yaml b/.github/workflows/azwi-e2e.yaml
@@ -26,11 +26,16 @@ jobs:
         env: [ubuntu-20.04]
     runs-on: ${{ matrix.env }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "1.20"
       - name: Azure CLI
@@ -51,7 +56,7 @@ jobs:
           make kind-create
       - name: Build azwi
         run: make bin/azwi
-      - uses: azure/[email protected]
+      - uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
         with:
           client-id: ${{ env.AZURE_CLIENT_ID }}
           tenant-id: ${{ env.AZURE_TENANT_ID }}
@@ -99,11 +104,16 @@ jobs:
         env: [ubuntu-20.04, macos-11]
     runs-on: ${{ matrix.env }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "1.20"
       - name: Build azwi

diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml
@@ -15,12 +15,17 @@ jobs:
   deploy:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           submodules: true
           fetch-depth: 0
       - name: Publish Helm chart
-        uses: stefanprodan/[email protected]
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           charts_dir: charts

diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml
@@ -13,8 +13,13 @@ jobs:
   codecov:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "^1.20"
       - name: Run tests

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -20,6 +20,11 @@ jobs:
       security-events: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 

diff --git a/.github/workflows/create-release-pull-request.yaml b/.github/workflows/create-release-pull-request.yaml
@@ -18,24 +18,29 @@ jobs:
   create-release-pull-request:
     runs-on: ubuntu-20.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
       - name: validate version
         run: |
           echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]+|-beta\.[0-9]+|-rc\.[0-9]+)?$'
           echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(main|release-[0-9]+\.[0-9]+)$'
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           submodules: true
           fetch-depth: 0
           ref: "${{ github.event.inputs.based_on_branch }}"
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "1.20"
       - run: make release-manifest
         env:
           NEW_VERSION: "${{ github.event.inputs.release_version }}"
       - run: make promote-staging-manifest
       - name: Create release pull request
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 # v5.0.0
         with:
           commit-message: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}"
           title: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}"

diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -15,11 +15,16 @@ jobs:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts')
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
         with:
           submodules: true
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: "1.20"
       - id: get-tag
@@ -29,7 +34,7 @@ jobs:
         run: |
           git tag ${{ steps.get-tag.outputs.tag }}
       - name: Goreleaser
-        uses: goreleaser/goreleaser-action@v4
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
         with:
           version: latest
           args: release --rm-dist --timeout 150m --debug

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/markdown-link-check.yaml b/.github/workflows/markdown-link-check.yaml
@@ -17,8 +17,13 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+    - name: Harden Runner
+      uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+    - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
       with:
         # this will only show errors in the output
         use-quiet-mode: 'yes'