aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar StepSecurity Bot <bot@stepsecurity.io>2022-10-29 12:16:32 +0000
committerLibravatar Topi Miettinen <topimiettinen@users.noreply.github.com>2022-10-31 19:52:55 +0000
commitd8a5f385bf76ad21cb8942412a370bee3e7b8ce6 (patch)
tree5620403edad06be5167a8c01cb3db0af0823f621
parentbuild(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (diff)
downloadfirejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.gz
firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.zst
firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.zip
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
-rw-r--r--.github/workflows/build-extra.yml23
-rw-r--r--.github/workflows/build.yml8
-rw-r--r--.github/workflows/codeql-analysis.yml12
-rw-r--r--.github/workflows/profile-checks.yml8
4 files changed, 51 insertions, 0 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index 8c318ded8..a319e1ac6 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -32,10 +32,18 @@ on:
32 - '.github/ISSUE_TEMPLATE/*' 32 - '.github/ISSUE_TEMPLATE/*'
33 - '.github/pull_request_template.md' 33 - '.github/pull_request_template.md'
34 34
35permissions: # added using https://github.com/step-security/secure-workflows
36 contents: read
37
35jobs: 38jobs:
36 build-clang: 39 build-clang:
37 runs-on: ubuntu-22.04 40 runs-on: ubuntu-22.04
38 steps: 41 steps:
42 - name: Harden Runner
43 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
44 with:
45 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
46
39 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 47 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
40 - name: install dependencies 48 - name: install dependencies
41 run: sudo apt-get install libapparmor-dev libselinux1-dev 49 run: sudo apt-get install libapparmor-dev libselinux1-dev
@@ -50,6 +58,11 @@ jobs:
50 scan-build: 58 scan-build:
51 runs-on: ubuntu-22.04 59 runs-on: ubuntu-22.04
52 steps: 60 steps:
61 - name: Harden Runner
62 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
63 with:
64 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
65
53 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 66 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
54 - name: install clang-tools-14 and dependencies 67 - name: install clang-tools-14 and dependencies
55 run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev 68 run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
@@ -60,6 +73,11 @@ jobs:
60 cppcheck: 73 cppcheck:
61 runs-on: ubuntu-22.04 74 runs-on: ubuntu-22.04
62 steps: 75 steps:
76 - name: Harden Runner
77 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
78 with:
79 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
80
63 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 81 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
64 - name: install cppcheck 82 - name: install cppcheck
65 run: sudo apt-get install cppcheck 83 run: sudo apt-get install cppcheck
@@ -70,6 +88,11 @@ jobs:
70 cppcheck_old: 88 cppcheck_old:
71 runs-on: ubuntu-20.04 89 runs-on: ubuntu-20.04
72 steps: 90 steps:
91 - name: Harden Runner
92 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
93 with:
94 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
95
73 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 96 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
74 - name: install cppcheck 97 - name: install cppcheck
75 run: sudo apt-get install cppcheck 98 run: sudo apt-get install cppcheck
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 74f4375c9..e383c9ef2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,10 +24,18 @@ on:
24 - RELNOTES 24 - RELNOTES
25 - SECURITY.md 25 - SECURITY.md
26 26
27permissions: # added using https://github.com/step-security/secure-workflows
28 contents: read
29
27jobs: 30jobs:
28 build_and_test: 31 build_and_test:
29 runs-on: ubuntu-22.04 32 runs-on: ubuntu-22.04
30 steps: 33 steps:
34 - name: Harden Runner
35 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
36 with:
37 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
38
31 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 39 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
32 - name: update package information 40 - name: update package information
33 run: sudo apt-get update 41 run: sudo apt-get update
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 908eb8dd2..8b84f4d16 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -34,8 +34,15 @@ on:
34 schedule: 34 schedule:
35 - cron: '0 7 * * 2' 35 - cron: '0 7 * * 2'
36 36
37permissions: # added using https://github.com/step-security/secure-workflows
38 contents: read
39
37jobs: 40jobs:
38 analyze: 41 analyze:
42 permissions:
43 actions: read # for github/codeql-action/init to get workflow details
44 contents: read # for actions/checkout to fetch code
45 security-events: write # for github/codeql-action/autobuild to send a status report
39 name: Analyze 46 name: Analyze
40 runs-on: ubuntu-latest 47 runs-on: ubuntu-latest
41 48
@@ -48,6 +55,11 @@ jobs:
48 # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed 55 # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
49 56
50 steps: 57 steps:
58 - name: Harden Runner
59 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
60 with:
61 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
62
51 - name: Checkout repository 63 - name: Checkout repository
52 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 64 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
53 65
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index a530cdff5..f5de62412 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -16,10 +16,18 @@ on:
16 - 'src/firecfg/firecfg.config' 16 - 'src/firecfg/firecfg.config'
17 - 'contrib/sort.py' 17 - 'contrib/sort.py'
18 18
19permissions: # added using https://github.com/step-security/secure-workflows
20 contents: read
21
19jobs: 22jobs:
20 profile-checks: 23 profile-checks:
21 runs-on: ubuntu-latest 24 runs-on: ubuntu-latest
22 steps: 25 steps:
26 - name: Harden Runner
27 uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
28 with:
29 egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
30
23 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 31 - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
24 - name: sort.py 32 - name: sort.py
25 run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile 33 run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile