Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/org-security-failure-collector.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
- name: Create org installation token
if: steps.app-config.outputs.configured == 'true'
id: app-token
uses: actions/create-github-app-token@v3
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ env.ORG_SECURITY_FAILURE_APP_ID }}
private-key: ${{ env.ORG_SECURITY_FAILURE_APP_PRIVATE_KEY }}
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/prepare-pypi-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,17 @@ on:
default: PyPI Trusted Publishing release prepared by GitHub Actions Bot.
type: string

# Least-privilege top-level token; the single job below elevates only what it needs.
permissions:
actions: write
contents: write
pull-requests: write
contents: read

jobs:
prepare-release:
runs-on: ubuntu-latest
permissions:
actions: write # dispatch security-process.yml on the release branch
contents: write # commit/push the release branch
pull-requests: write # open/update the release PR
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
RELEASE_VERSION: ${{ inputs.version }}
Expand Down
13 changes: 9 additions & 4 deletions .github/workflows/security-process.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@ on:
- cron: "31 4 * * 1"
workflow_dispatch:

# Least-privilege top-level token; write scopes are granted per-job below.
permissions:
contents: read
security-events: write
actions: read

jobs:
appguardrail-scan:
runs-on: ubuntu-latest
permissions:
contents: read
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
Expand Down Expand Up @@ -53,14 +54,18 @@ jobs:

trivy-fs:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
steps:
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Run Trivy FS scan
uses: aquasecurity/trivy-action@v0.36.0
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: fs
scan-ref: .
Expand All @@ -77,7 +82,7 @@ jobs:
&& hashFiles('trivy-results.sarif') != ''
&& (github.event_name != 'pull_request'
|| github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0
with:
sarif_file: trivy-results.sarif

Expand Down