diff --git a/.github/workflows/action-security.yml b/.github/workflows/action-security.yml index a963fd7..7b9a911 100644 --- a/.github/workflows/action-security.yml +++ b/.github/workflows/action-security.yml @@ -16,6 +16,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + actions: read + pull-requests: read + jobs: analyze: name: Analyze Action Security @@ -23,16 +28,13 @@ jobs: timeout-minutes: 30 permissions: - contents: read security-events: write - actions: read - pull-requests: read statuses: write issues: write steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -55,7 +57,7 @@ jobs: fi - name: Run actionlint - uses: raven-actions/actionlint@v2 + uses: raven-actions/actionlint@01fce4f43a270a612932cb1c64d40505a029f821 # v2.0.0 with: cache: true fail-on-error: true @@ -63,7 +65,7 @@ jobs: - name: Run Gitleaks if: steps.check-configs.outputs.run_gitleaks == 'true' - uses: gitleaks/gitleaks-action@v2.3.7 + uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} @@ -73,7 +75,7 @@ jobs: report-path: gitleaks-report.sarif - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master with: scan-type: 'fs' security-checks: 'vuln,config,secret' @@ -114,21 +116,21 @@ jobs: - name: Upload Trivy results if: steps.verify-sarif.outputs.has_trivy == 'true' - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: 'trivy-results.sarif' category: 'trivy' - name: Upload Gitleaks results if: steps.verify-sarif.outputs.has_gitleaks == 'true' - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: 'gitleaks-report.sarif' category: 'gitleaks' - name: Archive security reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: security-reports-${{ github.run_id }} path: | @@ -138,7 +140,7 @@ jobs: - name: Analyze Results if: always() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const fs = require('fs'); @@ -229,7 +231,7 @@ jobs: - name: Notify on Critical Issues if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const { repo, owner } = context.repo; diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 7147f83..c16a444 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -19,6 +19,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false # Don't cancel as this could leave PRs in inconsistent state +permissions: + contents: read + checks: read + statuses: read + jobs: auto-merge: name: 🤝 Auto Merge @@ -28,8 +33,6 @@ jobs: permissions: contents: write pull-requests: write - checks: read - statuses: read steps: - name: Check Required Secrets @@ -46,13 +49,13 @@ jobs: - name: Generate Token id: generate-token if: steps.check-secrets.outputs.use_github_token == 'false' - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514 # v1.11.2 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Auto Merge PR - uses: pascalgn/automerge-action@v0.16.4 + uses: pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67 # v0.16.4 env: GITHUB_TOKEN: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} MERGE_LABELS: 'dependencies,automated-pr,!work-in-progress,!do-not-merge' @@ -68,7 +71,7 @@ jobs: - name: Check Merge Status if: always() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} script: | @@ -137,7 +140,7 @@ jobs: - name: Remove Labels on Failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: github-token: ${{ steps.check-secrets.outputs.use_github_token == 'true' && github.token || steps.generate-token.outputs.token }} script: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2e8bfe3..9086fb7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,13 +10,15 @@ on: schedule: - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday +permissions: + actions: read + contents: read + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: @@ -26,18 +28,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: ${{ matrix.language }} queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: category: '/language:${{matrix.language}}' diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8081a54..6d7e446 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4.5.0 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 33eb782..fb37c73 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -45,6 +45,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: megalinter: name: MegaLinter @@ -59,14 +62,14 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} fetch-depth: 0 - name: MegaLinter id: ml - uses: oxsecurity/megalinter/flavors/cupcake@v8.4.1 + uses: oxsecurity/megalinter/flavors/cupcake@839e6d63c0423eb74ce2578225f8b8b4bed63ede # v8.4.1 env: PARALLEL: true # Run linters in parallel FILTER_REGEX_EXCLUDE: '(\.automation/test|docs/json-schemas|\.github/workflows)' @@ -100,7 +103,7 @@ jobs: - name: Upload Reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: MegaLinter reports path: | @@ -110,7 +113,7 @@ jobs: - name: Upload SARIF Report if: always() && hashFiles('megalinter-reports/sarif/*.sarif') - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: megalinter-reports/sarif category: megalinter @@ -130,7 +133,7 @@ jobs: env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@67ccf781d68cd99b580ae25a5c18a1cc84ffff1f # v7.0.6 id: cpr with: token: ${{ secrets.FIXIMUS_TOKEN || secrets.GITHUB_TOKEN }} @@ -165,7 +168,7 @@ jobs: github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) && !contains(github.event.head_commit.message, 'skip fix') - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0 with: branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} commit_message: | @@ -178,7 +181,7 @@ jobs: - name: Create Status Check if: always() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const status = '${{ steps.check-results.outputs.status }}'; diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbaeceb..60137dd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,13 +6,15 @@ on: - 'v*' permissions: - contents: write + contents: read jobs: release: runs-on: ubuntu-latest + permissions: + contents: write steps: - - uses: actions/checkout@v4 - - uses: softprops/action-gh-release@v2.2.1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: generate_release_notes: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 57a5c09..1808a2a 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -17,25 +17,25 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@v2.4.0 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: results.sarif diff --git a/.github/workflows/security-metrics.yml b/.github/workflows/security-metrics.yml index 0000ae2..2c0471b 100644 --- a/.github/workflows/security-metrics.yml +++ b/.github/workflows/security-metrics.yml @@ -10,6 +10,11 @@ on: schedule: - cron: '0 0 * * 0' # Weekly +permissions: + contents: read + actions: read + pull-requests: read + jobs: collect-metrics: runs-on: ubuntu-latest @@ -18,10 +23,10 @@ jobs: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Collect Metrics - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const metrics = { diff --git a/.github/workflows/security-trends.yml b/.github/workflows/security-trends.yml index 7224b94..6fc0f6f 100644 --- a/.github/workflows/security-trends.yml +++ b/.github/workflows/security-trends.yml @@ -8,6 +8,10 @@ on: types: - completed +permissions: + contents: read + actions: read + jobs: analyze-trends: runs-on: ubuntu-latest @@ -16,20 +20,20 @@ jobs: issues: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main fetch-depth: 0 - name: Download latest results - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: security-reports-${{ github.event.workflow_run.id }} path: latest-results - name: Analyze Trends id: analyze - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const fs = require('fs'); @@ -82,7 +86,7 @@ jobs: if: | github.event.workflow_run.conclusion == 'success' && steps.verify.outputs.exists == 'true' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | try { diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 7e77a85..7679c95 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -18,6 +18,10 @@ on: - '**/*.js' - '**/*.ts' +permissions: + contents: read + actions: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -32,10 +36,8 @@ jobs: timeout-minutes: 30 permissions: - contents: read security-events: write issues: write - actions: read pull-requests: write steps: @@ -73,12 +75,12 @@ jobs: fi - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Full history for better analysis - name: Run OWASP Dependency Check - uses: dependency-check/Dependency-Check_Action@main + uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d # main with: project: 'GitHub Actions' path: '.' @@ -91,14 +93,14 @@ jobs: --suppression ${{ github.workspace }}/suppressions.xml - name: Upload OWASP Results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: reports/dependency-check-report.sarif category: owasp-dependency-check - name: Setup Node.js if: steps.check-secrets.outputs.run_snyk == 'true' - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: 'lts/*' cache: 'npm' @@ -106,7 +108,7 @@ jobs: - name: Run Snyk Scan id: snyk if: steps.check-secrets.outputs.run_snyk == 'true' - uses: snyk/actions/node@master + uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master continue-on-error: true # Don't fail the workflow, we'll handle results env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -115,7 +117,7 @@ jobs: - name: Upload Snyk Results if: steps.check-secrets.outputs.run_snyk == 'true' - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: sarif_file: snyk-results.sarif category: snyk @@ -123,7 +125,7 @@ jobs: - name: Analyze Vulnerabilities id: vuln-analysis if: always() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const fs = require('fs'); @@ -233,7 +235,7 @@ jobs: - name: Archive Security Reports if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: security-reports-${{ github.run_id }} path: | @@ -246,7 +248,7 @@ jobs: - name: Create Fix PRs if: always() && (steps.vuln-analysis.outputs.critical_count > 0 || steps.vuln-analysis.outputs.high_count > 0) - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 continue-on-error: true with: script: | @@ -377,7 +379,7 @@ jobs: - name: Notify on Failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const fs = require('fs'); @@ -447,7 +449,7 @@ jobs: - name: Cleanup Old Issues if: always() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | try { diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4d7b440..a586fb9 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -25,7 +25,7 @@ jobs: steps: - name: 🚀 Run stale - uses: actions/stale@v9.1.0 + uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 30 diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 7413846..b244307 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -33,7 +33,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 @@ -188,7 +188,7 @@ jobs: - name: Upload Label Report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: label-sync-report path: label-report.md @@ -196,7 +196,7 @@ jobs: - name: Notify on Failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const fs = require('fs');