fix(workflows): pin all github actions to prevent supply-chain attacks

eclipse-tractusx · Nov 16, 2023 · e416c6b · e416c6b
1 parent a70af08
commit e416c6b
Show file tree

Hide file tree

Showing 6 changed files with 85 additions and 124 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,3 +1,4 @@
+---
 #
 # Copyright (c) 2023 SAP SE 
 # Copyright (c) 2023 T-Systems International GmbH 
@@ -27,6 +28,7 @@ on:
  branches:
  - main
  - 'release/*'
+ # Can be scheduled on all branches and version tags
  tags:
  - 'v*.*.*'
  - 'v*.*.*-*'
@@ -75,35 +77,35 @@ jobs:
  - name: Check github repository and set docker repo
  id: set-docker-repo
  run: |
- echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; 
- echo "REPO=tractusx" >> $GITHUB_OUTPUT; 
- if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ]; 
- then 
+ echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT;
+ echo "REPO=tractusx" >> $GITHUB_OUTPUT;
+ if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-aas-bridge" ];
+ then
  echo "REGISTRY=ghcr.io" >> $GITHUB_OUTPUT
  echo "REPO=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT
- fi 
+ fi
  exit 0
 
  # Get the Code
  - name: Checkout repository
- uses: actions/checkout@v3
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  submodules: recursive
 
  # Setup build environment
  - uses: ./.github/actions/setup-java
 
- # Enable deployment access (on main branch and version tags only)
+ # Enable deployment access (on demand or main branch and version tags only)
  - name: Login to GitHub Container Registry
- if: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) }}
- uses: docker/login-action@v2
+ if: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
  with:
  registry: ${{ steps.set-docker-repo.outputs.REGISTRY }}
  # Use existing DockerHub credentials present as secrets
  username: ${{ secrets.DOCKER_HUB_USER || github.actor }}
  password: ${{ secrets.DOCKER_HUB_TOKEN || secrets.GITHUB_TOKEN }}
- 
- # Run Maven Deploy (if either running on main or a version tag)
+
+ # Run Maven Deploy (on demand or if either running on main or a version tag)
  - name: Deploy Java via Maven
  if: ${{ ( github.event.inputs.deploy_maven == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
  run: |
@@ -122,9 +124,9 @@ jobs:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
  # Create SemVer or ref tags dependent of trigger event
- - name: Docker Meta Conforming
- id: meta-conf
- uses: docker/metadata-action@v4
+ - name: Docker Meta AAS Bridge
+ id: meta-aas
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
  with:
  images: |
  ${{ steps.set-docker-repo.outputs.REPO }}/aas-bridge
@@ -141,19 +143,19 @@ jobs:
 
  # build in any case, but push only main and version tag settings
  - name: AAS Bridge Container Build and Push
- uses: docker/build-push-action@v3
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
  with:
  context: sparql-aas/.
  file: sparql-aas/src/main/docker/Dockerfile
  # Build image for verification purposes on every trigger event. Only push if event is not a PR
  push: ${{ ( github.event.inputs.deploy_docker == 'true' || github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }}
- tags: ${{ steps.meta-hash.outputs.tags }}
- labels: ${{ steps.meta-hash.outputs.labels }}
+ tags: ${{ steps.meta-aas.outputs.tags }}
+ labels: ${{ steps.meta-aas.outputs.labels }}
 
  # Important step to push image description to DockerHub - since this is version independent, we always take it from main
  - name: Update Docker Hub description for AAS Bridge
  if: ${{ steps.set-docker-repo.outputs.REPO == 'docker.io' && github.ref == 'refs/heads/main' }}
- uses: peter-evans/dockerhub-description@v3
+ uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864 # v3.4.2
  with:
  readme-filepath: sparql-aas/README.md
  username: ${{ secrets.DOCKER_HUB_USER }}

diff --git a/.github/workflows/helm-chart-lint.yml b/.github/workflows/helm-chart-lint.yml
@@ -1,3 +1,4 @@
+---
 #
 # Copyright (c) 2023 SAP SE 
 # Copyright (c) 2023 T-Systems International GmbH 
@@ -27,14 +28,14 @@ on:
  push:
  branches:
  - main
- - 'releases/**'
+ - 'release/*'
  paths:
  - .github/workflows/**
  - charts/**
  pull_request:
  branches:
  - main
- - 'releases/**'
+ - 'release/*'
  paths:
  - .github/workflows/**
  - charts/**
@@ -59,38 +60,38 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  fetch-depth: 0
 
  - name: Set up Helm
- uses: azure/setup-helm@v3
+ uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
  with:
  version: v3.10.3
 
  - uses: ./.github/actions/setup-java
 
- - uses: actions/setup-python@v4
+ - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
  with:
  python-version: 3.9
 
  - name: Set up chart-testing
- uses: helm/chart-testing-action@v2.3.1
+ uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
  - name: Run chart-testing (lint)
- run: ct lint --target-branch ${{ github.event.repository.default_branch }} --config charts/config/chart-testing-config.yaml
+ run: ct lint --target-branch ${{ github.base_ref || github.ref_name }} --config charts/config/chart-testing-config.yaml
 
  - name: Run chart-testing (list-changed)
  id: list-changed
  run: |
- changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+ changed=$(ct list-changed --target-branch ${{ github.base_ref || github.ref_name }})
  if [[ -n "$changed" ]]; then
  echo "CHART_CHANGED=true" >> $GITHUB_ENV
  fi
 
  # Preparing a kind cluster to install and test charts on
  - name: Create kind cluster
- uses: container-tools/kind-action@v1
+ uses: container-tools/kind-action@61f1afd4807b0dac84f3232ec99e45c63701d220 # v2.0.1
  with:
  # upgrade version, default (v0.17.0) uses node image v1.21.1 and doesn't work with more recent node image versions
  version: v0.19.0
@@ -100,7 +101,7 @@ jobs:
 
  - name: Build Java/Docker via Maven
  run: |
- ./mvnw -s settings.xml deploy -Drepo=kind-registry:5000/tractusx/ -Dmaven.deploy.skip -DskipTests -Pwith-docker-image 
+ ./mvnw -s settings.xml deploy -Drepo=kind-registry:5000/tractusx/ -Dmaven.deploy.skip -DskipTests -Pwith-docker-image
  if: github.event_name != 'pull_request' || env.CHART_CHANGED == 'true'
  env:
  GITHUB_ACTOR: ${{ github.actor }}

diff --git a/.github/workflows/helm-chart-release.yml b/.github/workflows/helm-chart-release.yml
@@ -1,3 +1,4 @@
+---
 #
 # Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation
 #
@@ -22,17 +23,14 @@ name: Release Charts
 on:
  # May be invoked manually
  workflow_dispatch:
- branches:
- - main
- - 'releases/**'
  # Or by pushing to the chart dir of some dev/ release branch
  push:
  # prevent unnecessary GH action runs for files outside of charts folder
  paths:
  - 'charts/**'
  branches:
  - main
- - 'releases/**'
+ - 'release/*'
 
 jobs:
  release:
@@ -43,7 +41,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
  with:
  fetch-depth: 0
 
@@ -53,11 +51,11 @@ jobs:
  git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
  - name: Install Helm
- uses: azure/setup-helm@v3
+ uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
  with:
  token: ${{ secrets.GITHUB_TOKEN }}
 
  - name: Run chart-releaser
- uses: helm/chart-releaser-action@v1.4.1
+ uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
  env:
- CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+ CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -1,3 +1,4 @@
+---
 #
 # Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
 #
@@ -17,18 +18,17 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
----
 name: "KICS"
 
 on:
  push:
- branches: 
- - main
- - 'releases/**'
+ branches:
+  - main
+  - 'release/*'
  pull_request:
- branches: 
+ branches:
  - main
- - 'releases/**'
+ - 'release/*'
 
  workflow_dispatch:
 
@@ -46,29 +46,30 @@ jobs:
  security-events: write
 
  steps:
- - uses: actions/checkout@v3.5.2
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-#
-# Take out 
-# - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable.
-# - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart.
-# - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart.
-# - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline
-# - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality
-# - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible
-#
+
+ #
+ # Take out
+ # - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable.
+ # - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart.
+ # - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart.
+ # - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline
+ # - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality
+ # - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible
+ #
  - name: KICS scan
- uses: checkmarx/kics-github-action@v1.7.0
+ uses: checkmarx/kics-github-action@8a44970e3d2eca668be41abe9d4e06709c3b3609 # v1.7.0
  with:
  path: "."
  fail_on: high
  disable_secrets: true
- output_path: kicsResults/ 
+ output_path: kicsResults/
  exclude_queries: caa3479d-885d-4882-9aac-95e5e78ef5c2,4a20ebac-1060-4c81-95d1-1f7f620e983b,48a5beba-e4c0-4584-a2aa-e6894e4cf424,7c81d34c-8e5a-402b-9798-9f442630e678,8b36775e-183d-4d46-b0f7-96a6f34a723f,e84eaf4d-2f45-47b2-abe8-e581b06deb66
  output_formats: "json,sarif"
 
  - name: Upload SARIF file for GitHub Advanced Security Dashboard
  if: always()
- uses: github/codeql-action/upload-sarif@v2
+ uses: github/codeql-action/upload-sarif@689fdc5193eeb735ecb2e52e819e3382876f93f4 # v2.22.6
  with:
  sarif_file: kicsResults/results.sarif