ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-02-03 22:42:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ci): pin versions, tighten permissions

Browse Source
This commit is contained in:
Ismo Vuorinen
2025-02-02 14:20:05 +02:00
parent ab2a86b6e2
commit 19f792e5d1
12 changed files with 86 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/security.yml vendored
View File

@@ -18,6 +18,10 @@ on:
- '**/*.js'
- '**/*.ts'
permissions:
contents: read
actions: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@@ -32,10 +36,8 @@ jobs:
timeout-minutes: 30
permissions:
contents: read
security-events: write
issues: write
actions: read
pull-requests: write
steps:
@@ -73,12 +75,12 @@ jobs:
fi
- name: Checkout Repository
uses: actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0 # Full history for better analysis
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
uses: dependency-check/Dependency-Check_Action@3102a65fd5f36d0000297576acc56a475b0de98d # main
with:
project: 'GitHub Actions'
path: '.'
@@ -91,14 +93,14 @@ jobs:
--suppression ${{ github.workspace }}/suppressions.xml
- name: Upload OWASP Results
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: reports/dependency-check-report.sarif
category: owasp-dependency-check
- name: Setup Node.js
if: steps.check-secrets.outputs.run_snyk == 'true'
uses: actions/setup-node@v4
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: 'lts/*'
cache: 'npm'
@@ -106,7 +108,7 @@ jobs:
- name: Run Snyk Scan
id: snyk
if: steps.check-secrets.outputs.run_snyk == 'true'
uses: snyk/actions/node@master
uses: snyk/actions/node@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
continue-on-error: true # Don't fail the workflow, we'll handle results
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -115,7 +117,7 @@ jobs:
- name: Upload Snyk Results
if: steps.check-secrets.outputs.run_snyk == 'true'
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: snyk-results.sarif
category: snyk
@@ -123,7 +125,7 @@ jobs:
- name: Analyze Vulnerabilities
id: vuln-analysis
if: always()
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const fs = require('fs');
@@ -233,7 +235,7 @@ jobs:
- name: Archive Security Reports
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: security-reports-${{ github.run_id }}
path: |
@@ -246,7 +248,7 @@ jobs:
- name: Create Fix PRs
if: always() && (steps.vuln-analysis.outputs.critical_count > 0 || steps.vuln-analysis.outputs.high_count > 0)
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
continue-on-error: true
with:
script: |
@@ -377,7 +379,7 @@ jobs:
- name: Notify on Failure
if: failure()
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const fs = require('fs');
@@ -447,7 +449,7 @@ jobs:
- name: Cleanup Old Issues
if: always()
uses: actions/github-script@v7
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
try {