diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 23 | ||||
-rw-r--r-- | .github/workflows/build.yml | 8 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 12 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 8 |
4 files changed, 51 insertions, 0 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8c318ded8..a319e1ac6 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -32,10 +32,18 @@ on: | |||
32 | - '.github/ISSUE_TEMPLATE/*' | 32 | - '.github/ISSUE_TEMPLATE/*' |
33 | - '.github/pull_request_template.md' | 33 | - '.github/pull_request_template.md' |
34 | 34 | ||
35 | permissions: # added using https://github.com/step-security/secure-workflows | ||
36 | contents: read | ||
37 | |||
35 | jobs: | 38 | jobs: |
36 | build-clang: | 39 | build-clang: |
37 | runs-on: ubuntu-22.04 | 40 | runs-on: ubuntu-22.04 |
38 | steps: | 41 | steps: |
42 | - name: Harden Runner | ||
43 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
44 | with: | ||
45 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
46 | |||
39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 47 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
40 | - name: install dependencies | 48 | - name: install dependencies |
41 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 49 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
@@ -50,6 +58,11 @@ jobs: | |||
50 | scan-build: | 58 | scan-build: |
51 | runs-on: ubuntu-22.04 | 59 | runs-on: ubuntu-22.04 |
52 | steps: | 60 | steps: |
61 | - name: Harden Runner | ||
62 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
63 | with: | ||
64 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
65 | |||
53 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 66 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
54 | - name: install clang-tools-14 and dependencies | 67 | - name: install clang-tools-14 and dependencies |
55 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 68 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
@@ -60,6 +73,11 @@ jobs: | |||
60 | cppcheck: | 73 | cppcheck: |
61 | runs-on: ubuntu-22.04 | 74 | runs-on: ubuntu-22.04 |
62 | steps: | 75 | steps: |
76 | - name: Harden Runner | ||
77 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
78 | with: | ||
79 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
80 | |||
63 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 81 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
64 | - name: install cppcheck | 82 | - name: install cppcheck |
65 | run: sudo apt-get install cppcheck | 83 | run: sudo apt-get install cppcheck |
@@ -70,6 +88,11 @@ jobs: | |||
70 | cppcheck_old: | 88 | cppcheck_old: |
71 | runs-on: ubuntu-20.04 | 89 | runs-on: ubuntu-20.04 |
72 | steps: | 90 | steps: |
91 | - name: Harden Runner | ||
92 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
93 | with: | ||
94 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
95 | |||
73 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 96 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
74 | - name: install cppcheck | 97 | - name: install cppcheck |
75 | run: sudo apt-get install cppcheck | 98 | run: sudo apt-get install cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74f4375c9..e383c9ef2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -24,10 +24,18 @@ on: | |||
24 | - RELNOTES | 24 | - RELNOTES |
25 | - SECURITY.md | 25 | - SECURITY.md |
26 | 26 | ||
27 | permissions: # added using https://github.com/step-security/secure-workflows | ||
28 | contents: read | ||
29 | |||
27 | jobs: | 30 | jobs: |
28 | build_and_test: | 31 | build_and_test: |
29 | runs-on: ubuntu-22.04 | 32 | runs-on: ubuntu-22.04 |
30 | steps: | 33 | steps: |
34 | - name: Harden Runner | ||
35 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
36 | with: | ||
37 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
38 | |||
31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
32 | - name: update package information | 40 | - name: update package information |
33 | run: sudo apt-get update | 41 | run: sudo apt-get update |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 908eb8dd2..8b84f4d16 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -34,8 +34,15 @@ on: | |||
34 | schedule: | 34 | schedule: |
35 | - cron: '0 7 * * 2' | 35 | - cron: '0 7 * * 2' |
36 | 36 | ||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
37 | jobs: | 40 | jobs: |
38 | analyze: | 41 | analyze: |
42 | permissions: | ||
43 | actions: read # for github/codeql-action/init to get workflow details | ||
44 | contents: read # for actions/checkout to fetch code | ||
45 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
39 | name: Analyze | 46 | name: Analyze |
40 | runs-on: ubuntu-latest | 47 | runs-on: ubuntu-latest |
41 | 48 | ||
@@ -48,6 +55,11 @@ jobs: | |||
48 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | 55 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
49 | 56 | ||
50 | steps: | 57 | steps: |
58 | - name: Harden Runner | ||
59 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
60 | with: | ||
61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
62 | |||
51 | - name: Checkout repository | 63 | - name: Checkout repository |
52 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
53 | 65 | ||
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index a530cdff5..f5de62412 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -16,10 +16,18 @@ on: | |||
16 | - 'src/firecfg/firecfg.config' | 16 | - 'src/firecfg/firecfg.config' |
17 | - 'contrib/sort.py' | 17 | - 'contrib/sort.py' |
18 | 18 | ||
19 | permissions: # added using https://github.com/step-security/secure-workflows | ||
20 | contents: read | ||
21 | |||
19 | jobs: | 22 | jobs: |
20 | profile-checks: | 23 | profile-checks: |
21 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
22 | steps: | 25 | steps: |
26 | - name: Harden Runner | ||
27 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
28 | with: | ||
29 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
30 | |||
23 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
24 | - name: sort.py | 32 | - name: sort.py |
25 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 33 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |