diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml new file mode 100644 index 0000000000..9ce0cfa51c --- /dev/null +++ b/.github/workflows/actions.yml @@ -0,0 +1,57 @@ +name: Lint GitHub Actions + +on: + push: + paths: + - '.github/workflows/*.ya?ml' + branches: + - main + pull_request: + paths: + - '.github/workflows/*.ya?ml' + +concurrency: + group: "actionlint-${{ github.ref }}" + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +permissions: {} + +jobs: + lint: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: lint wit zizmor + run: | + pipx install zizmor + zizmor --gh-token ${{ secrets.GITHUB_TOKEN }} --format sarif . > results.sarif || true + + - name: Upload SARIF file + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: results.sarif + path: results.sarif + + upload: + needs: lint + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Download SARIF file + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + with: + sarif_file: results.sarif + category: actions-zizmor diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1699e1e0bb..9e75f5cd7b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,21 +21,22 @@ jobs: strategy: fail-fast: false matrix: - include: - - language: javascript-typescript - build-mode: none + language: ['javascript-typescript', 'actions'] + steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} + build-mode: none - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index 338653effc..5c0c84a726 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -8,6 +8,9 @@ on: - 'lambdas/**' - '.github/workflows/lambda.yml' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -22,6 +25,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install dependencies run: yarn install --frozen-lockfile - name: Run prettier diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml index 4251f892ff..a818ef1dc4 100644 --- a/.github/workflows/packer-build.yml +++ b/.github/workflows/packer-build.yml @@ -8,9 +8,13 @@ on: - "images/**" - ".github/workflows/packer-build.yml" - "module/runners/templates/**" +permissions: + contents: read + env: AWS_REGION: eu-west-1 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + jobs: verify_packer: name: Verify packer @@ -26,6 +30,8 @@ jobs: steps: - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: packer init run: packer init . - name: check packer formatting diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f4eeb32bf3..5b3d6650d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,6 +20,8 @@ jobs: with: node-version: 22 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Build dist working-directory: lambdas run: yarn install --frozen-lockfile && yarn run test && yarn dist @@ -50,17 +52,25 @@ jobs: if: ${{ steps.release.outputs.releases_created == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION: ${{ github.event.inputs.version }} + TAG_NAME: ${{ steps.release.outputs.tag_name }} + ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }} run: | - gh release view ${{ github.event.inputs.version }} --json body -q '.body' > new-release-notes.md + version="${VERSION}" + tag_name="${TAG_NAME}" + attestation_url="${ATTESTATION_URL}" + gh release view $version --json body -q '.body' > new-release-notes.md echo "## Attestation" >> new-release-notes.md - echo "Attestation url: ${{ steps.attest.outputs.attestation-url }}" >> new-release-notes.md + echo "Attestation url: $attestation_url" >> new-release-notes.md echo "Verify the artifacts by running \`gh attest verify --repo ${{ github.repository }}\`" >> new-release-notes.md - gh release edit ${{ steps.release.outputs.tag_name }} -F new-release-notes.md -t ${{ steps.release.outputs.tag_name }} + gh release edit $tag_name -F new-release-notes.md -t $tag_name - name: Upload release assets if: ${{ steps.release.outputs.releases_created == 'true' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG_NAME: ${{ steps.release.outputs.tag_name }} run: | + tag_name="${TAG_NAME}" for f in $(find . -name '*.zip'); do - gh release upload ${{ steps.release.outputs.tag_name }} $f + gh release upload $tag_name $f done diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml index 886aa2e349..db6c9f88e2 100644 --- a/.github/workflows/semantic-check.yml +++ b/.github/workflows/semantic-check.yml @@ -14,6 +14,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 name: Check PR for Semantic Commit Message env: diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 8a0c1eb746..2c2afaba58 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: write env: AWS_REGION: eu-west-1 @@ -24,6 +23,8 @@ jobs: steps: - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: "Fake zip files" # Validate will fail if it cannot find the zip files run: | touch lambdas/functions/webhook/webhook.zip @@ -47,7 +48,7 @@ jobs: run: apk add --no-cache tar continue-on-error: true - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 name: Cache TFLint plugin dir with: path: ~/.tflint.d/plugins @@ -90,6 +91,8 @@ jobs: image: hashicorp/terraform:${{ matrix.terraform }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: terraform init run: terraform init -get -backend=false -input=false - if: contains(matrix.terraform, '1.3.') @@ -106,14 +109,14 @@ jobs: run: apk add --no-cache tar continue-on-error: true - if: contains(matrix.terraform, '1.3.') - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 name: Cache TFLint plugin dir with: path: ~/.tflint.d/plugins key: tflint-${{ hashFiles('.tflint.hcl') }} - if: contains(matrix.terraform, '1.3.') name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 + uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} - if: contains(matrix.terraform, '1.3.') @@ -145,6 +148,8 @@ jobs: image: hashicorp/terraform:${{ matrix.terraform }} steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: terraform init run: terraform init -get -backend=false -input=false - if: contains(matrix.terraform, '1.5.') @@ -161,14 +166,14 @@ jobs: run: apk add --no-cache tar continue-on-error: true - if: contains(matrix.terraform, '1.5.') - uses: actions/cache@v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 name: Cache TFLint plugin dir with: path: ~/.tflint.d/plugins key: tflint-${{ hashFiles('.tflint.hcl') }} - if: contains(matrix.terraform, '1.5.') name: Setup TFLint - uses: terraform-linters/setup-tflint@v4 + uses: terraform-linters/setup-tflint@8093687ecc9dcbfa88d07c103ad4176739a7287e # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} - if: contains(matrix.terraform, '1.5.') diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index 9741482d45..70e841f1d6 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -6,19 +6,19 @@ on: - "**/*.md" - ".github/workflows/update-docs.yml" -permissions: - contents: write - pull-requests: write - jobs: docs: name: Auto update terraform docs runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Checkout with GITHUB Action token uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: true # use an app to ensure CI is triggered - name: Generate TF docs @@ -55,6 +55,8 @@ jobs: deploy-pages: needs: [docs] runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Configure Git Credentials diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..bbad753d6f --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,9 @@ +rules: + artipacked: + ignore: + # update docs requires token to be persisted + - update-docs.yml:61:9 + dangerous-triggers: + ignore: + # semantic check with only a read only token + - semantic-check.yml:2:1