diff options
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/build-extra.yml | 23 | ||||
-rw-r--r-- | .github/workflows/build.yml | 8 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 18 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 8 |
4 files changed, 54 insertions, 3 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8c318ded8..c0e0062cd 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -32,10 +32,18 @@ on: | |||
32 | - '.github/ISSUE_TEMPLATE/*' | 32 | - '.github/ISSUE_TEMPLATE/*' |
33 | - '.github/pull_request_template.md' | 33 | - '.github/pull_request_template.md' |
34 | 34 | ||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
35 | jobs: | 38 | jobs: |
36 | build-clang: | 39 | build-clang: |
37 | runs-on: ubuntu-22.04 | 40 | runs-on: ubuntu-22.04 |
38 | steps: | 41 | steps: |
42 | - name: Harden Runner | ||
43 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
44 | with: | ||
45 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
46 | |||
39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 47 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
40 | - name: install dependencies | 48 | - name: install dependencies |
41 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 49 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
@@ -50,6 +58,11 @@ jobs: | |||
50 | scan-build: | 58 | scan-build: |
51 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
52 | steps: | 60 | steps: |
61 | - name: Harden Runner | ||
62 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
63 | with: | ||
64 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
65 | |||
53 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 66 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
54 | - name: install clang-tools-14 and dependencies | 67 | - name: install clang-tools-14 and dependencies |
55 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 68 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
@@ -60,6 +73,11 @@ jobs: | |||
60 | cppcheck: | 73 | cppcheck: |
61 | runs-on: ubuntu-22.04 | 74 | runs-on: ubuntu-22.04 |
62 | steps: | 75 | steps: |
76 | - name: Harden Runner | ||
77 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
78 | with: | ||
79 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
80 | |||
63 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 81 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
64 | - name: install cppcheck | 82 | - name: install cppcheck |
65 | run: sudo apt-get install cppcheck | 83 | run: sudo apt-get install cppcheck |
@@ -70,6 +88,11 @@ jobs: | |||
70 | cppcheck_old: | 88 | cppcheck_old: |
71 | runs-on: ubuntu-20.04 | 89 | runs-on: ubuntu-20.04 |
72 | steps: | 90 | steps: |
91 | - name: Harden Runner | ||
92 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
93 | with: | ||
94 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
95 | |||
73 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 96 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
74 | - name: install cppcheck | 97 | - name: install cppcheck |
75 | run: sudo apt-get install cppcheck | 98 | run: sudo apt-get install cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74f4375c9..6612e256d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -24,10 +24,18 @@ on: | |||
24 | - RELNOTES | 24 | - RELNOTES |
25 | - SECURITY.md | 25 | - SECURITY.md |
26 | 26 | ||
27 | permissions: # added using https://github.com/step-security/secure-workflows | ||
28 | contents: read | ||
29 | |||
27 | jobs: | 30 | jobs: |
28 | build_and_test: | 31 | build_and_test: |
29 | runs-on: ubuntu-22.04 | 32 | runs-on: ubuntu-22.04 |
30 | steps: | 33 | steps: |
34 | - name: Harden Runner | ||
35 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
36 | with: | ||
37 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
38 | |||
31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
32 | - name: update package information | 40 | - name: update package information |
33 | run: sudo apt-get update | 41 | run: sudo apt-get update |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e7129aae5..2190c9a1d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -34,8 +34,15 @@ on: | |||
34 | schedule: | 34 | schedule: |
35 | - cron: '0 7 * * 2' | 35 | - cron: '0 7 * * 2' |
36 | 36 | ||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
37 | jobs: | 40 | jobs: |
38 | analyze: | 41 | analyze: |
42 | permissions: | ||
43 | actions: read # for github/codeql-action/init to get workflow details | ||
44 | contents: read # for actions/checkout to fetch code | ||
45 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
39 | name: Analyze | 46 | name: Analyze |
40 | runs-on: ubuntu-latest | 47 | runs-on: ubuntu-latest |
41 | 48 | ||
@@ -48,12 +55,17 @@ jobs: | |||
48 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | 55 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
49 | 56 | ||
50 | steps: | 57 | steps: |
58 | - name: Harden Runner | ||
59 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
60 | with: | ||
61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
62 | |||
51 | - name: Checkout repository | 63 | - name: Checkout repository |
52 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
53 | 65 | ||
54 | # Initializes the CodeQL tools for scanning. | 66 | # Initializes the CodeQL tools for scanning. |
55 | - name: Initialize CodeQL | 67 | - name: Initialize CodeQL |
56 | uses: github/codeql-action/init@cc7986c02bac29104a72998e67239bb5ee2ee110 | 68 | uses: github/codeql-action/init@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
57 | with: | 69 | with: |
58 | languages: ${{ matrix.language }} | 70 | languages: ${{ matrix.language }} |
59 | # If you wish to specify custom queries, you can do so here or in a config file. | 71 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -64,7 +76,7 @@ jobs: | |||
64 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 76 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
65 | # If this step fails, then you should remove it and run the build manually (see below) | 77 | # If this step fails, then you should remove it and run the build manually (see below) |
66 | - name: Autobuild | 78 | - name: Autobuild |
67 | uses: github/codeql-action/autobuild@cc7986c02bac29104a72998e67239bb5ee2ee110 | 79 | uses: github/codeql-action/autobuild@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
68 | 80 | ||
69 | # âšī¸ Command-line programs to run using the OS shell. | 81 | # âšī¸ Command-line programs to run using the OS shell. |
70 | # đ https://git.io/JvXDl | 82 | # đ https://git.io/JvXDl |
@@ -78,4 +90,4 @@ jobs: | |||
78 | # make release | 90 | # make release |
79 | 91 | ||
80 | - name: Perform CodeQL Analysis | 92 | - name: Perform CodeQL Analysis |
81 | uses: github/codeql-action/analyze@cc7986c02bac29104a72998e67239bb5ee2ee110 | 93 | uses: github/codeql-action/analyze@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index a530cdff5..d36d050ab 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -16,10 +16,18 @@ on: | |||
16 | - 'src/firecfg/firecfg.config' | 16 | - 'src/firecfg/firecfg.config' |
17 | - 'contrib/sort.py' | 17 | - 'contrib/sort.py' |
18 | 18 | ||
19 | permissions: # added using https://github.com/step-security/secure-workflows | ||
20 | contents: read | ||
21 | |||
19 | jobs: | 22 | jobs: |
20 | profile-checks: | 23 | profile-checks: |
21 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
22 | steps: | 25 | steps: |
26 | - name: Harden Runner | ||
27 | uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 | ||
28 | with: | ||
29 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
30 | |||
23 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
24 | - name: sort.py | 32 | - name: sort.py |
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 33 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |