Skip to content

Commit a52f78b

Browse files
committed
chore: apply security best practices for CI (caddyserver#7066)
* chore: apply security best practices for CI Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * remove redundant codeql job Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * run scorecard flow on PRs Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> --------- Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
1 parent 6dc1e84 commit a52f78b

File tree

8 files changed

+117
-26
lines changed

8 files changed

+117
-26
lines changed

.github/dependabot.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,8 @@ updates:
55
directory: "/"
66
schedule:
77
interval: "monthly"
8+
9+
- package-ecosystem: gomod
10+
directory: /
11+
schedule:
12+
interval: weekly

.github/workflows/ci.yml

Lines changed: 27 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ env:
1616
# https://github.com/actions/setup-go/issues/491
1717
GOTOOLCHAIN: local
1818

19+
permissions:
20+
contents: read
21+
1922
jobs:
2023
test:
2124
strategy:
@@ -60,11 +63,16 @@ jobs:
6063
pull-requests: read
6164
actions: write # to allow uploading artifacts and cache
6265
steps:
66+
- name: Harden the runner (Audit all outbound calls)
67+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
68+
with:
69+
egress-policy: audit
70+
6371
- name: Checkout code
64-
uses: actions/checkout@v4
72+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6573

6674
- name: Install Go
67-
uses: actions/setup-go@v5
75+
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
6876
with:
6977
go-version: ${{ matrix.GO_SEMVER }}
7078
check-latest: true
@@ -111,7 +119,7 @@ jobs:
111119
./caddy stop
112120
113121
- name: Publish Build Artifact
114-
uses: actions/upload-artifact@v4
122+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
115123
with:
116124
name: caddy_${{ runner.os }}_go${{ matrix.go }}_${{ steps.vars.outputs.short_sha }}
117125
path: ${{ matrix.CADDY_BIN_PATH }}
@@ -152,8 +160,14 @@ jobs:
152160
if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
153161
continue-on-error: true # August 2020: s390x VM is down due to weather and power issues
154162
steps:
163+
- name: Harden the runner (Audit all outbound calls)
164+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
165+
with:
166+
egress-policy: audit
167+
allowed-endpoints: ci-s390x.caddyserver.com:22
168+
155169
- name: Checkout code
156-
uses: actions/checkout@v4
170+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
157171
- name: Run Tests
158172
run: |
159173
set +e
@@ -205,23 +219,28 @@ jobs:
205219
pull-requests: read
206220
if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]'
207221
steps:
222+
- name: Harden the runner (Audit all outbound calls)
223+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
224+
with:
225+
egress-policy: audit
226+
208227
- name: Checkout code
209-
uses: actions/checkout@v4
228+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
210229

211-
- uses: goreleaser/goreleaser-action@v6
230+
- uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
212231
with:
213232
version: latest
214233
args: check
215234
- name: Install Go
216-
uses: actions/setup-go@v5
235+
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
217236
with:
218237
go-version: "~1.24"
219238
check-latest: true
220239
- name: Install xcaddy
221240
run: |
222241
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
223242
xcaddy version
224-
- uses: goreleaser/goreleaser-action@v6
243+
- uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
225244
with:
226245
version: latest
227246
args: build --single-target --snapshot

.github/workflows/cross-build.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,9 @@ env:
1414
# https://github.com/actions/setup-go/issues/491
1515
GOTOOLCHAIN: local
1616

17+
permissions:
18+
contents: read
19+
1720
jobs:
1821
build:
1922
strategy:
@@ -45,11 +48,16 @@ jobs:
4548
pull-requests: read
4649
continue-on-error: true
4750
steps:
51+
- name: Harden the runner (Audit all outbound calls)
52+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
53+
with:
54+
egress-policy: audit
55+
4856
- name: Checkout code
49-
uses: actions/checkout@v4
57+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5058

5159
- name: Install Go
52-
uses: actions/setup-go@v5
60+
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
5361
with:
5462
go-version: ${{ matrix.GO_SEMVER }}
5563
check-latest: true

.github/workflows/lint.yml

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -44,14 +44,19 @@ jobs:
4444
runs-on: ${{ matrix.OS_LABEL }}
4545

4646
steps:
47-
- uses: actions/checkout@v4
48-
- uses: actions/setup-go@v5
47+
- name: Harden the runner (Audit all outbound calls)
48+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
49+
with:
50+
egress-policy: audit
51+
52+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
53+
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
4954
with:
5055
go-version: '~1.24'
5156
check-latest: true
5257

5358
- name: golangci-lint
54-
uses: golangci/golangci-lint-action@v8
59+
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
5560
with:
5661
version: latest
5762

@@ -67,8 +72,13 @@ jobs:
6772
pull-requests: read
6873
runs-on: ubuntu-latest
6974
steps:
75+
- name: Harden the runner (Audit all outbound calls)
76+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
77+
with:
78+
egress-policy: audit
79+
7080
- name: govulncheck
71-
uses: golang/govulncheck-action@v1
81+
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
7282
with:
7383
go-version-input: '~1.24.1'
7484
check-latest: true
@@ -79,10 +89,15 @@ jobs:
7989
contents: read
8090
pull-requests: write
8191
steps:
92+
- name: Harden the runner (Audit all outbound calls)
93+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
94+
with:
95+
egress-policy: audit
96+
8297
- name: 'Checkout Repository'
83-
uses: actions/checkout@v4
98+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
8499
- name: 'Dependency Review'
85-
uses: actions/dependency-review-action@v4
100+
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
86101
with:
87102
comment-summary-in-pr: on-failure
88103
# https://github.com/actions/dependency-review-action/issues/430#issuecomment-1468975566

.github/workflows/release.yml

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@ env:
99
# https://github.com/actions/setup-go/issues/491
1010
GOTOOLCHAIN: local
1111

12+
permissions:
13+
contents: read
14+
1215
jobs:
1316
release:
1417
name: Release
@@ -35,19 +38,24 @@ jobs:
3538
contents: write
3639

3740
steps:
41+
- name: Harden the runner (Audit all outbound calls)
42+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
43+
with:
44+
egress-policy: audit
45+
3846
- name: Checkout code
39-
uses: actions/checkout@v4
47+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
4048
with:
4149
fetch-depth: 0
4250

4351
- name: Install Go
44-
uses: actions/setup-go@v5
52+
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
4553
with:
4654
go-version: ${{ matrix.GO_SEMVER }}
4755
check-latest: true
4856

4957
# Force fetch upstream tags -- because 65 minutes
50-
# tl;dr: actions/checkout@v4 runs this line:
58+
# tl;dr: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 runs this line:
5159
# git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
5260
# which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
5361
# git fetch --prune --unshallow
@@ -101,11 +109,11 @@ jobs:
101109
git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
102110
103111
- name: Install Cosign
104-
uses: sigstore/cosign-installer@main
112+
uses: sigstore/cosign-installer@e9a05e6d32d7ed22b5656cd874ef31af58d05bfa # main
105113
- name: Cosign version
106114
run: cosign version
107115
- name: Install Syft
108-
uses: anchore/sbom-action/download-syft@main
116+
uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9 # main
109117
- name: Syft version
110118
run: syft version
111119
- name: Install xcaddy
@@ -114,7 +122,7 @@ jobs:
114122
xcaddy version
115123
# GoReleaser will take care of publishing those artifacts into the release
116124
- name: Run GoReleaser
117-
uses: goreleaser/goreleaser-action@v6
125+
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
118126
with:
119127
version: latest
120128
args: release --clean --timeout 60m

.github/workflows/release_published.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
release:
66
types: [published]
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
release:
1013
name: Release Published
@@ -20,16 +23,21 @@ jobs:
2023
steps:
2124

2225
# See https://github.com/peter-evans/repository-dispatch
26+
- name: Harden the runner (Audit all outbound calls)
27+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
28+
with:
29+
egress-policy: audit
30+
2331
- name: Trigger event on caddyserver/dist
24-
uses: peter-evans/repository-dispatch@v3
32+
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
2533
with:
2634
token: ${{ secrets.REPO_DISPATCH_TOKEN }}
2735
repository: caddyserver/dist
2836
event-type: release-tagged
2937
client-payload: '{"tag": "${{ github.event.release.tag_name }}"}'
3038

3139
- name: Trigger event on caddyserver/caddy-docker
32-
uses: peter-evans/repository-dispatch@v3
40+
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
3341
with:
3442
token: ${{ secrets.REPO_DISPATCH_TOKEN }}
3543
repository: caddyserver/caddy-docker

.github/workflows/scorecard.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,10 @@ on:
1212
schedule:
1313
- cron: '20 2 * * 5'
1414
push:
15-
branches: [ "master" ]
15+
branches: [ "master", "2.*" ]
16+
pull_request:
17+
branches: [ "master", "2.*" ]
18+
1619

1720
# Declare default permissions as read only.
1821
permissions: read-all
@@ -33,6 +36,11 @@ jobs:
3336
# actions: read
3437

3538
steps:
39+
- name: Harden the runner (Audit all outbound calls)
40+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
41+
with:
42+
egress-policy: audit
43+
3644
- name: "Checkout code"
3745
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3846
with:
@@ -73,6 +81,6 @@ jobs:
7381
# Upload the results to GitHub's code scanning dashboard (optional).
7482
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
7583
- name: "Upload to code-scanning"
76-
uses: github/codeql-action/upload-sarif@v3
84+
uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
7785
with:
7886
sarif_file: results.sarif

.pre-commit-config.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
repos:
2+
- repo: https://github.com/gitleaks/gitleaks
3+
rev: v8.16.3
4+
hooks:
5+
- id: gitleaks
6+
- repo: https://github.com/golangci/golangci-lint
7+
rev: v1.52.2
8+
hooks:
9+
- id: golangci-lint-config-verify
10+
- id: golangci-lint
11+
- id: golangci-lint-fmt
12+
- repo: https://github.com/jumanjihouse/pre-commit-hooks
13+
rev: 3.0.0
14+
hooks:
15+
- id: shellcheck
16+
- repo: https://github.com/pre-commit/pre-commit-hooks
17+
rev: v4.4.0
18+
hooks:
19+
- id: end-of-file-fixer
20+
- id: trailing-whitespace

0 commit comments

Comments
 (0)