From 8968412712452cb0dfdeede24525d7b7a69c5002 Mon Sep 17 00:00:00 2001 From: Dave Thaler Date: Wed, 18 Sep 2024 17:22:49 -0700 Subject: [PATCH] Update github workflow permissions (#193) Resolves 5 code scanning alerts in github Signed-off-by: Dave Thaler --- .github/workflows/AIForOrcas.Client.Web.yaml | 13 ++++++++----- .github/workflows/AIForOrcas.Server.yaml | 13 ++++++++----- .github/workflows/NotificationSystem.yaml | 13 ++++++++----- .github/workflows/OrcaHello.Web.Api.yaml | 13 ++++++++----- .github/workflows/OrcaHello.Web.UI.yaml | 13 ++++++++----- 5 files changed, 40 insertions(+), 25 deletions(-) diff --git a/.github/workflows/AIForOrcas.Client.Web.yaml b/.github/workflows/AIForOrcas.Client.Web.yaml index 901ac3f..ebe2cc5 100644 --- a/.github/workflows/AIForOrcas.Client.Web.yaml +++ b/.github/workflows/AIForOrcas.Client.Web.yaml @@ -30,6 +30,9 @@ defaults: run: working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Client.Web +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest @@ -40,9 +43,9 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Dependencies @@ -54,7 +57,7 @@ jobs: - name: Publish run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}' - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts @@ -70,12 +73,12 @@ jobs: with: egress-policy: audit - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts - name: Deploy to azure - uses: azure/webapps-deploy@v2 + uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13 with: app-name: ${{ env.AZURE_APP_NAME }} publish-profile: ${{ secrets.AZURE_AISFORORCAS_PUBLISH_PROFILE }} diff --git a/.github/workflows/AIForOrcas.Server.yaml b/.github/workflows/AIForOrcas.Server.yaml index 3bb0bef..f3008e6 100644 --- a/.github/workflows/AIForOrcas.Server.yaml +++ b/.github/workflows/AIForOrcas.Server.yaml @@ -28,6 +28,9 @@ defaults: run: working-directory: ModeratorFrontEnd/AIForOrcas/AIForOrcas.Server +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest @@ -38,9 +41,9 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Dependencies @@ -52,7 +55,7 @@ jobs: - name: Publish run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}' - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts @@ -68,12 +71,12 @@ jobs: with: egress-policy: audit - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts - name: Deploy to azure - uses: azure/webapps-deploy@v2 + uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13 with: app-name: ${{ env.AZURE_APP_NAME }} publish-profile: ${{ secrets.AZURE_AISFORORCASDETECTIONS_PUBLISH_PROFILE }} diff --git a/.github/workflows/NotificationSystem.yaml b/.github/workflows/NotificationSystem.yaml index c5da636..5993ca8 100644 --- a/.github/workflows/NotificationSystem.yaml +++ b/.github/workflows/NotificationSystem.yaml @@ -24,6 +24,9 @@ defaults: run: working-directory: NotificationSystem +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest @@ -34,9 +37,9 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Dependencies @@ -48,7 +51,7 @@ jobs: - name: Publish run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}' - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts @@ -64,12 +67,12 @@ jobs: with: egress-policy: audit - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts - name: Deploy to Azure Functions - uses: azure/functions-action@v1 + uses: azure/functions-action@fd80521afbba9a2a76a99ba1acc07aff8d733d11 # v1.5.2 with: app-name: ${{ env.AZURE_APP_NAME }} publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} diff --git a/.github/workflows/OrcaHello.Web.Api.yaml b/.github/workflows/OrcaHello.Web.Api.yaml index 0acefc3..7232a1c 100644 --- a/.github/workflows/OrcaHello.Web.Api.yaml +++ b/.github/workflows/OrcaHello.Web.Api.yaml @@ -26,6 +26,9 @@ defaults: run: working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.Api +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest @@ -36,9 +39,9 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Dependencies @@ -50,7 +53,7 @@ jobs: - name: Publish run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}' - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts @@ -66,12 +69,12 @@ jobs: with: egress-policy: audit - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts - name: Deploy to azure - uses: azure/webapps-deploy@v2 + uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13 with: app-name: ${{ env.AZURE_APP_NAME }} publish-profile: ${{ secrets.AZURE_ORCAHELLODETECTIONS_PUBLISH_PROFILE }} diff --git a/.github/workflows/OrcaHello.Web.UI.yaml b/.github/workflows/OrcaHello.Web.UI.yaml index 3b2de1f..a0c22fe 100644 --- a/.github/workflows/OrcaHello.Web.UI.yaml +++ b/.github/workflows/OrcaHello.Web.UI.yaml @@ -26,6 +26,9 @@ defaults: run: working-directory: ModeratorFrontEnd/OrcaHello/OrcaHello.Web.UI +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest @@ -36,9 +39,9 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up .NET Core - uses: actions/setup-dotnet@v1 + uses: actions/setup-dotnet@608ee757cfcce72c2e91e99aca128e0cae67de87 # v1.9.1 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: Dependencies @@ -50,7 +53,7 @@ jobs: - name: Publish run: dotnet publish --no-restore -c Release -o './${{ env.PUBLISH_DIR }}' - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR }}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts @@ -66,12 +69,12 @@ jobs: with: egress-policy: audit - name: Artifacts cache - uses: actions/cache@v2 + uses: actions/cache@8492260343ad570701412c2f464a5877dc76bace # v2 with: path: ./${{ env.WORKING_DIR}}/${{ env.PUBLISH_DIR }} key: ${{ github.sha }}-${{ env.AZURE_APP_NAME }}-${{ env.DOTNET_RUNTIME }}-artifacts - name: Deploy to azure - uses: azure/webapps-deploy@v2 + uses: azure/webapps-deploy@4bfb30bef2c330e36be280cb1e5726d0fac06233 # v2.2.13 with: app-name: ${{ env.AZURE_APP_NAME }} publish-profile: ${{ secrets.AZURE_ORCAHELLO_PUBLISH_PROFILE }}