Improved overall security for github actions (#346)

* Improved overall security for github actions * Added codeql with dotnet build * Removed fluentassertions * Fixed release github action * Added codeql on windows as well * Added codeql for github actions as well * Removed github actions as codeql, will be added as a different workflow * Fixed * Added diff github action for codeql github actions --------- Co-authored-by: Sandro Hanea <[email protected]>
sandrohanea · Feb 15, 2025 · fca3270 · fca3270
1 parent a05be18
commit fca3270
Show file tree

Hide file tree

Showing 29 changed files with 212 additions and 85 deletions.
diff --git a/.github/workflows/android-native-build.yml b/.github/workflows/android-native-build.yml
@@ -1,4 +1,6 @@
 name: Android Native build
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
@@ -15,7 +17,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Install Android NDK
-        uses: nttld/setup-ndk@v1.4.2
+        uses: nttld/setup-ndk@afb4c9964b521afb97c864b7d40b11e6911bd410
         with:
           ndk-version: r25c
 

diff --git a/.github/workflows/build-all.yml b/.github/workflows/build-all.yml
@@ -2,6 +2,10 @@
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
 
 name: CI (Native + dotnet)
+permissions:
+  contents: read
+  checks: write
+  security-events: write
 
 on:
    push:
@@ -14,11 +18,13 @@ on:
             description: 'Enable GPU libraries build and publish'
             required: true
             default: 'false'
-permissions:
-  contents: read
-  checks: write
+   schedule:
+     - cron: '40 17 * * 0'
 
 jobs:
+   codeql-github-actions:
+      uses: ./.github/workflows/codeql-github-actions.yml
+
    android:
       uses: ./.github/workflows/android-native-build.yml
 

diff --git a/.github/workflows/codeql-github-actions.yml b/.github/workflows/codeql-github-actions.yml
@@ -0,0 +1,28 @@
+name: Dotnet Build and Test
+
+permissions:
+  contents: read
+  checks: write
+  security-events: write
+
+on:
+  workflow_call:
+
+jobs:
+   codeql-github:
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: actions
+          build-mode: none
+
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:actions"
diff --git a/.github/workflows/dotnet-maui.yml b/.github/workflows/dotnet-maui.yml
@@ -2,6 +2,8 @@
 # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-net
 
 name: Dotnet Maui Build and Test
+permissions:
+  contents: read
 
 on:
   workflow_call:
@@ -23,7 +25,7 @@ jobs:
           dotnet-version: |
             9.0.x
 
-      - uses: maxim-lobanov/setup-xcode@v1
+      - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd
         with:
           xcode-version: '16.2'
 
@@ -89,7 +91,7 @@ jobs:
         run: dotnet tool install Microsoft.DotNet.XHarness.CLI --global --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json --version "10.0.0-*"
 
       - name: run android tests
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@62dbb605bba737720e10b196cb4220d374026a6d
         with:
           api-level: 29
           arch: x86_64
@@ -119,7 +121,7 @@ jobs:
           dotnet-version: |
             8.0.x
             
-      - uses: maxim-lobanov/setup-xcode@v1
+      - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd
         with:
           xcode-version: '16.2'
 

diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -3,12 +3,14 @@
 
 name: Dotnet Build and Test
 
-on:
-  workflow_call:
-
 permissions:
   contents: read
   checks: write
+  security-events: write
+
+on:
+  workflow_call:
+
 
 env:
   HF_TOKEN: ${{ secrets.HF_TOKEN }}
@@ -36,7 +38,14 @@ jobs:
 
       - name: Restore dependencies
         run: dotnet restore ./Whisper.net.sln
-
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: csharp
+          build-mode: manual
+
       - name: Build
         run: dotnet build ./Whisper.net.sln --no-restore -warnaserror
 
@@ -45,20 +54,26 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build  --logger "trx"
           
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net MacOs Test Results
           path: ./**/*.trx
           reporter: dotnet-trx
 
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:csharp"
+
       - name: Upload trx files
         uses: actions/upload-artifact@v4
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: test-results-macos
           path: ./**/*.trx
           retention-days: 7
+
 
   dotnet-windows:
     runs-on: windows-latest
@@ -82,7 +97,14 @@ jobs:
 
       - name: Restore dependencies
         run: dotnet restore ./Whisper.net.sln
-
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: csharp
+          build-mode: manual
+
       - name: Build
         run: dotnet build ./Whisper.net.sln --no-restore -warnaserror
 
@@ -91,7 +113,7 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build --logger "trx"
           
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net Windows Test Results
@@ -105,7 +127,12 @@ jobs:
           name: test-results-windows
           path: ./**/*.trx
           retention-days: 7
-
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:csharp"
+
   dotnet-linux:
     runs-on: ubuntu-latest
 
@@ -137,7 +164,7 @@ jobs:
           dotnet test ./Whisper.net.sln --no-build --logger "trx"
                         
       - name: Test Reporter
-        uses: dorny/test-reporter@v1.9.1
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5
         if: success() || failure()    # run this step even if previous step failed
         with:
           name: Whisper.net Linux Test Results

diff --git a/.github/workflows/linux-cuda-native-build.yml b/.github/workflows/linux-cuda-native-build.yml
@@ -1,5 +1,8 @@
 name: Linux Cuda Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -21,7 +24,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y gcc-arm-linux-gnueabihf && sudo apt-get install -y g++-arm-linux-gnueabihf
 
       - name: Install CUDA Toolkit
-        uses: Jimver/cuda-toolkit@v0.2.18
+        uses: Jimver/cuda-toolkit@8022558310ea543e35132143092835585f60e628
         with:
           cuda: "12.1.0"
 

diff --git a/.github/workflows/linux-native-build.yml b/.github/workflows/linux-native-build.yml
@@ -1,5 +1,8 @@
 name: Linux Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

diff --git a/.github/workflows/linux-noavx-native-build.yml b/.github/workflows/linux-noavx-native-build.yml
@@ -1,5 +1,8 @@
 name: Linux Native build Without AVX
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

diff --git a/.github/workflows/linux-openvino-native-build.yml b/.github/workflows/linux-openvino-native-build.yml
@@ -1,5 +1,8 @@
 name: Linux OpenVino native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

diff --git a/.github/workflows/linux-vulkan-native-build.yml b/.github/workflows/linux-vulkan-native-build.yml
@@ -1,5 +1,8 @@
 name: Linux Vulkan native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -21,7 +24,7 @@ jobs:
         run: sudo apt-get update && sudo apt-get install -y gcc-arm-linux-gnueabihf && sudo apt-get install -y g++-arm-linux-gnueabihf
 
       - name: Install Vulkan SDK
-        uses: jakoch/install-vulkan-sdk-action@v1.0.4
+        uses: jakoch/install-vulkan-sdk-action@40216eed6cafc7df0be5eb80620a9f0e7c7104f9
         with:
           vulkan_version: 1.3.290.0
           optional_components: com.lunarg.vulkan.vma

diff --git a/.github/workflows/macos-coreml-native-build.yml b/.github/workflows/macos-coreml-native-build.yml
@@ -1,5 +1,8 @@
 name: MacOs CoreML Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

diff --git a/.github/workflows/macos-native-build.yml b/.github/workflows/macos-native-build.yml
@@ -1,5 +1,8 @@
 name: MacOs Native build
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   workflow_call:

diff --git a/.github/workflows/pack-all.yml b/.github/workflows/pack-all.yml
@@ -3,6 +3,9 @@
 
 name: Pack All
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
      inputs:

diff --git a/.github/workflows/push-all.yml b/.github/workflows/push-all.yml
@@ -3,12 +3,12 @@
 
 name: Push Nuget Packages to nuget.org
 
-on:
-  workflow_call:
-
 permissions:
   contents: write
 
+on:
+  workflow_call:
+
 jobs:
   push-nupkgs:
     runs-on: windows-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,8 @@
 
 name: CD (Native + dotnet)
 
+permissions:
+    contents: write
 on:
    workflow_dispatch:
       inputs:
@@ -23,9 +25,6 @@ on:
 env:
    IS_PREVIEW: ${{ inputs.IsPreview }}
    PREVIEW_SUFFIX: ${{ inputs.PreviewSuffix }}
-
-permissions:
-  contents: write
 
 jobs:
 

diff --git a/.github/workflows/wasm-native-build.yml b/.github/workflows/wasm-native-build.yml
@@ -1,5 +1,8 @@
 name: Wasm Native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -15,7 +18,7 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Install Emscripten
-        uses: mymindstorm/setup-emsdk@v13
+        uses: mymindstorm/setup-emsdk@6ab9eb1bda2574c4ddb79809fc9247783eaf9021
 
       - name: Run wasm build
         run: make wasm

diff --git a/.github/workflows/windows-cuda-native-build.yml b/.github/workflows/windows-cuda-native-build.yml
@@ -1,5 +1,8 @@
 name: Windows Cuda native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call:
@@ -16,14 +19,14 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce
 
       - name: Install OpenCl with vcpkg
         run: |
           vcpkg --triplet=x64-windows install opencl
 
       - name: Install CUDA Toolkit
-        uses: Jimver/cuda-toolkit@v0.2.18
+        uses: Jimver/cuda-toolkit@8022558310ea543e35132143092835585f60e628
         with:
           cuda: "12.1.0"
 

diff --git a/.github/workflows/windows-native-build.yml b/.github/workflows/windows-native-build.yml
@@ -1,5 +1,8 @@
 name: Windows native build
 
+permissions:
+    contents: read
+
 on:
   workflow_dispatch:
   workflow_call: