From 208fdd236cdd01f7eb4ac43d8f1bc51b4fbb6148 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 26 May 2026 10:38:39 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .devcontainer/Dockerfile | 2 +- .github/actions/artifacts-attest/action.yml | 2 +- .github/actions/artifacts-restore/action.yml | 8 +- .github/actions/cache-restore/action.yml | 6 +- .github/actions/docker-manifests/action.yml | 4 +- .github/actions/docker-publish/action.yml | 4 +- .github/actions/docker-setup/action.yml | 2 +- .github/actions/docker-test/action.yml | 4 +- .github/dependabot.yml | 57 ++++++++++++-- .github/workflows/_artifacts_linux.yml | 13 +++- .github/workflows/_artifacts_windows.yml | 11 ++- .github/workflows/_build.yml | 13 +++- .github/workflows/_docker.yml | 11 ++- .github/workflows/_docker_manifests.yml | 9 ++- .github/workflows/_prepare.yml | 20 +++-- .github/workflows/_publish.yml | 16 +++- .github/workflows/_unit_tests.yml | 18 +++-- .github/workflows/ci.yml | 16 +++- .github/workflows/codeql-analysis.yml | 15 ++-- .github/workflows/dependency-review.yml | 27 +++++++ .github/workflows/docs.yml | 33 +++++--- .github/workflows/format.yml | 9 ++- .github/workflows/gittools-actions.yml | 11 ++- .github/workflows/homebrew.yml | 9 ++- .github/workflows/mkdocs.yml | 11 ++- .github/workflows/new-cli.yml | 9 ++- .github/workflows/public-api.yml | 9 ++- .github/workflows/release.yml | 12 ++- .github/workflows/scorecards.yml | 81 ++++++++++++++++++++ .github/workflows/stale.yml | 7 +- .github/workflows/winget.yml | 9 ++- .pre-commit-config.yaml | 14 ++++ 32 files changed, 385 insertions(+), 87 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 5f35c29825..276b343276 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/devcontainers/dotnet:dev-10.0 +FROM mcr.microsoft.com/devcontainers/dotnet:dev-10.0@sha256:790bc8735b79677495f88c199ad5269e5c1ebb094078e2b663c841bc49dfabcd # [Optional] Uncomment this section to install additional OS packages. # RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ diff --git a/.github/actions/artifacts-attest/action.yml b/.github/actions/artifacts-attest/action.yml index aa4547a256..c9e71278f1 100644 --- a/.github/actions/artifacts-attest/action.yml +++ b/.github/actions/artifacts-attest/action.yml @@ -5,7 +5,7 @@ runs: using: 'composite' steps: - name: 'Attestation' - uses: actions/attest-build-provenance@v4.1.0 + uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 with: subject-path: | ${{ github.workspace }}/artifacts/packages/native diff --git a/.github/actions/artifacts-restore/action.yml b/.github/actions/artifacts-restore/action.yml index b69757c8c1..8d45711a96 100644 --- a/.github/actions/artifacts-restore/action.yml +++ b/.github/actions/artifacts-restore/action.yml @@ -4,25 +4,25 @@ description: 'Artifacts restore' runs: using: 'composite' steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native linux packages with: name: native-Linux path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native windows packages with: name: native-Windows path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native macos packages with: name: native-macOS path: ${{ github.workspace }}/artifacts/packages/native - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget diff --git a/.github/actions/cache-restore/action.yml b/.github/actions/cache-restore/action.yml index 192a459441..2667ab4a96 100644 --- a/.github/actions/cache-restore/action.yml +++ b/.github/actions/cache-restore/action.yml @@ -6,19 +6,19 @@ runs: steps: - name: Use cached cake frosting id: cache-cake - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json diff --git a/.github/actions/docker-manifests/action.yml b/.github/actions/docker-manifests/action.yml index 5c1acd4771..f9ed827f2f 100644 --- a/.github/actions/docker-manifests/action.yml +++ b/.github/actions/docker-manifests/action.yml @@ -24,7 +24,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -37,7 +37,7 @@ runs: --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub - name: Login to GitHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-publish/action.yml b/.github/actions/docker-publish/action.yml index 8835c1e733..a868b5b445 100644 --- a/.github/actions/docker-publish/action.yml +++ b/.github/actions/docker-publish/action.yml @@ -27,7 +27,7 @@ runs: using: 'composite' steps: - name: Login to DockerHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ inputs.docker_registry_username }} password: ${{ inputs.docker_registry_password }} @@ -40,7 +40,7 @@ runs: --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic - name: Login to GitHub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ inputs.github_registry_username }} diff --git a/.github/actions/docker-setup/action.yml b/.github/actions/docker-setup/action.yml index 2e43c229be..5ae87271b3 100644 --- a/.github/actions/docker-setup/action.yml +++ b/.github/actions/docker-setup/action.yml @@ -5,6 +5,6 @@ runs: using: 'composite' steps: - name: Set up Docker - uses: docker/setup-docker-action@v5 + uses: docker/setup-docker-action@b2189fbf2a6592b51fee7cdd93ee2bfaeba733db # v5.1.0 with: daemon-config: '{ "features": { "containerd-snapshotter": true } }' diff --git a/.github/actions/docker-test/action.yml b/.github/actions/docker-test/action.yml index 2b9686f419..c3852a76d4 100644 --- a/.github/actions/docker-test/action.yml +++ b/.github/actions/docker-test/action.yml @@ -15,7 +15,7 @@ runs: using: 'composite' steps: - name: '[Docker Build & Test] DockerHub' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 @@ -27,7 +27,7 @@ runs: --docker_distro=${{ inputs.docker_distro }} --docker_registry dockerhub --verbosity=diagnostic - name: '[Docker Build & Test] GitHub' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cf320504ae..364fb9fc90 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -47,9 +47,45 @@ updates: patterns: - "JsonSchemaNet.*" directories: - - "/build" - - "/new-cli" - - "/src" + - /build + - /new-cli + - /src + - /build/artifacts + - /build/build + - /build/common + - /build/config + - /build/docker + - /build/docs + - /build/publish + - /build/release + - /new-cli/GitVersion.Calculation + - /new-cli/GitVersion.Cli.Generator.Tests + - /new-cli/GitVersion.Cli.Generator + - /new-cli/GitVersion.Cli + - /new-cli/GitVersion.Common.Command + - /new-cli/GitVersion.Common + - /new-cli/GitVersion.Configuration + - /new-cli/GitVersion.Core.Libgit2Sharp + - /new-cli/GitVersion.Core.Tester + - /new-cli/GitVersion.Core + - /new-cli/GitVersion.Normalization + - /new-cli/GitVersion.Output + - /src/GitVersion.App.Tests + - /src/GitVersion.App + - /src/GitVersion.BuildAgents.Tests + - /src/GitVersion.BuildAgents + - /src/GitVersion.Configuration.Tests + - /src/GitVersion.Configuration + - /src/GitVersion.Core.Tests + - /src/GitVersion.Core + - /src/GitVersion.LibGit2Sharp + - /src/GitVersion.MsBuild.Tests + - /src/GitVersion.MsBuild + - /src/GitVersion.Output.Tests + - /src/GitVersion.Output + - /src/GitVersion.Schema + - /src/GitVersion.Testing + - /tests/integration schedule: interval: cron cronjob: "0 12 * * *" @@ -65,8 +101,9 @@ updates: patterns: - "actions/*" directories: - - "/.github/workflows" - - "/.github/actions" + - /.github/workflows + - /.github/actions + - / schedule: interval: cron cronjob: "0 12 * * *" @@ -84,3 +121,13 @@ updates: schedule: interval: cron cronjob: "0 12 1,15 * *" + + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: daily + + - package-ecosystem: docker + directory: /build/docker + schedule: + interval: daily diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml index 7f066c2bcf..4c67c8cca8 100644 --- a/.github/workflows/_artifacts_linux.yml +++ b/.github/workflows/_artifacts_linux.yml @@ -28,21 +28,26 @@ jobs: docker_distro: ${{ fromJson(inputs.docker_distros) }} dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download native packages with: name: native-Linux @@ -52,7 +57,7 @@ jobs: uses: ./.github/actions/docker-setup - name: '[Test Artifacts]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml index 14d2ba1be7..9684853f53 100644 --- a/.github/workflows/_artifacts_windows.yml +++ b/.github/workflows/_artifacts_windows.yml @@ -15,22 +15,27 @@ jobs: package: [ Executable, MsBuildFull ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: '[Test Artifacts]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml index a3edd1253b..c89964634e 100644 --- a/.github/workflows/_build.yml +++ b/.github/workflows/_build.yml @@ -15,8 +15,13 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -28,21 +33,21 @@ jobs: run: dotnet run/build.dll --target=Package - name: 'Upload nuget packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os == 'windows-2025-vs2026' with: name: nuget path: ${{ github.workspace }}/artifacts/packages/nuget - name: 'Upload native packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os == 'windows-2025-vs2026' with: name: native-${{ runner.os }} path: ${{ github.workspace }}/artifacts/packages/native/*.zip - name: 'Upload native packages' - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 if: matrix.os != 'windows-2025-vs2026' with: name: native-${{ runner.os }} diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml index f7430748bb..d6a0cf804f 100644 --- a/.github/workflows/_docker.yml +++ b/.github/workflows/_docker.yml @@ -34,15 +34,20 @@ jobs: docker_distro: ${{ fromJson(inputs.docker_distros) }} dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget @@ -62,7 +67,7 @@ jobs: - name: Load DockerHub credentials id: dockerhub-creds if: success() && inputs.publish_images - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml index bdc362243e..39aee66043 100644 --- a/.github/workflows/_docker_manifests.yml +++ b/.github/workflows/_docker_manifests.yml @@ -28,8 +28,13 @@ jobs: docker_distro: ${{ fromJson(inputs.docker_distros) }} dotnet_version: ${{ fromJson(inputs.dotnet_versions) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -42,7 +47,7 @@ jobs: - name: Load DockerHub credentials if: inputs.publish_manifests id: dockerhub-creds - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_prepare.yml b/.github/workflows/_prepare.yml index 6a6bf82ec3..63d8ab9126 100644 --- a/.github/workflows/_prepare.yml +++ b/.github/workflows/_prepare.yml @@ -22,25 +22,30 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache cake frosting id: cache-cake - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json @@ -59,8 +64,13 @@ jobs: docker_distros: ${{ steps.set_matrix.outputs.docker_distros }} dotnet_versions: ${{ steps.set_matrix.outputs.dotnet_versions }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Restore State uses: ./.github/actions/cache-restore diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml index 9145ca34d1..aa4eb92063 100644 --- a/.github/workflows/_publish.yml +++ b/.github/workflows/_publish.yml @@ -9,6 +9,9 @@ env: DOTNET_INSTALL_DIR: "./.dotnet" DOTNET_ROLL_FORWARD: "Major" +permissions: + contents: read + jobs: publish: name: ${{ matrix.taskName }} @@ -23,15 +26,20 @@ jobs: taskName: [ NuGet, Chocolatey ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 name: Download nuget packages with: name: nuget @@ -40,14 +48,14 @@ jobs: - name: Load NuGet credentials id: nuget-creds if: inputs.publish_packages - uses: gittools/cicd/nuget-creds@v5 + uses: gittools/cicd/nuget-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Load Chocolatey credentials id: choco-creds if: inputs.publish_packages - uses: gittools/cicd/choco-creds@v5 + uses: gittools/cicd/choco-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml index a6288bd517..768fe1b457 100644 --- a/.github/workflows/_unit_tests.yml +++ b/.github/workflows/_unit_tests.yml @@ -11,6 +11,9 @@ env: DOTNET_INSTALL_DIR: "./.dotnet" DOTNET_ROLL_FORWARD: "Major" +permissions: + contents: read + jobs: unit_test: name: ${{ matrix.os }} - net${{ matrix.dotnet_version }} @@ -24,15 +27,20 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Restore State uses: ./.github/actions/cache-restore - name: '[Unit Test]' - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: shell: pwsh timeout_minutes: 30 @@ -41,13 +49,13 @@ jobs: command: 'dotnet run/build.dll --target=UnitTest --dotnet_version=${{ matrix.dotnet_version }}' - name: Test Summary - uses: test-summary/action@v2.6 + uses: test-summary/action@37b508cfee6d4d080eedd00b5bb240a6a784a6a5 # v2.6 if: always() && matrix.dotnet_version == '10.0' with: paths: artifacts/test-results/**/results.xml - name: Upload Coverage - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: files: artifacts/test-results/**/results.xml @@ -55,7 +63,7 @@ jobs: use_oidc: true - name: Upload Coverage - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1 if: success() && inputs.publish_coverage && matrix.dotnet_version == '10.0' with: directory: artifacts/test-results diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a6297e955..9e47211419 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -53,6 +53,11 @@ jobs: outputs: can_publish: ${{ steps.flags.outputs.can_publish }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Resolve publish flag id: flags shell: bash @@ -148,8 +153,13 @@ jobs: GITHUB_TOKEN: ${{ github.token }} CAN_PUBLISH: ${{ github.event_name == 'repository_dispatch' }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -166,7 +176,7 @@ jobs: - name: Load DockerHub credentials id: dockerhub-creds if: env.CAN_PUBLISH == 'true' - uses: gittools/cicd/dockerhub-creds@v5 + uses: gittools/cicd/dockerhub-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -184,7 +194,7 @@ jobs: - name: '[Publish Release]' if: github.event_name == 'repository_dispatch' - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 944cca470c..e0ba02eb68 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -49,26 +49,31 @@ jobs: language: [ 'csharp' ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} tools: linked - name: Cache cake frosting id: cache-cake - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json @@ -81,4 +86,4 @@ jobs: run: dotnet run/build.dll --target=BuildPrepare --exclusive - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..4b945344af --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 503302df17..989715ef82 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -36,21 +36,26 @@ jobs: runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: Cache cake frosting id: cache-cake - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: run key: run-${{ runner.os }}-${{ hashFiles('./build/**') }} - name: Use cached tools id: cache-tools - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: tools key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }} @@ -64,14 +69,14 @@ jobs: - name: Cache Node Modules id: cache-node - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ${{ steps.cache-node-dir.outputs.dir }} key: node-${{ runner.os }}-${{ hashFiles('./package-lock.json') }} restore-keys: node-${{ runner.os }} - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json @@ -88,8 +93,13 @@ jobs: needs: [ prepare ] runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -101,7 +111,7 @@ jobs: run: dotnet run/docs.dll --target=BuildDocs - name: '[HTMLProofer]' - uses: chabad360/htmlproofer@master + uses: chabad360/htmlproofer@a1a3419200cea0e832a5c6249647d1d271178e82 # master with: directory: ./artifacts/docs/preview arguments: --ignore-urls /api/,/docs/,/5.12.0/ --allow-hash-href --allow-missing-href --assume-extension --disable-external --no-check_external_hash @@ -113,7 +123,7 @@ jobs: echo "value=$value" >> $GITHUB_OUTPUT - name: '[Remark Lint]' - uses: reviewdog/action-remark-lint@v5 + uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5.18.0 with: github_token: ${{ github.token }} reporter: ${{ steps.reporter.outputs.value }} @@ -129,8 +139,13 @@ jobs: GITHUB_TOKEN: ${{ github.token }} GITHUB_USERNAME: ${{ github.actor }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index be0be7f8d3..8ca9e79d0d 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -39,11 +39,16 @@ jobs: runs-on: ubuntu-24.04 name: DotNet Format steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json diff --git a/.github/workflows/gittools-actions.yml b/.github/workflows/gittools-actions.yml index 33b018fbd5..b10f73bfc7 100644 --- a/.github/workflows/gittools-actions.yml +++ b/.github/workflows/gittools-actions.yml @@ -23,6 +23,11 @@ jobs: name: Update GitTools Actions runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get version id: get-version shell: pwsh @@ -35,13 +40,13 @@ jobs: - name: Load GitHub App credentials id: github-app-creds - uses: gittools/cicd/github-app-creds@v5 + uses: gittools/cicd/github-app-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - name: Generate GitHub App Token id: app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: app-id: ${{ steps.github-app-creds.outputs.gh_app_id }} private-key: ${{ steps.github-app-creds.outputs.gh_app_private_key }} @@ -49,7 +54,7 @@ jobs: repositories: actions permission-contents: write - - uses: peter-evans/repository-dispatch@v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 name: Update GitTools Actions with: token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index 0b9091b4cc..5ec4b5321f 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -19,6 +19,11 @@ jobs: name: Bump Homebrew formula runs-on: macos-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get version id: get-version shell: pwsh @@ -31,11 +36,11 @@ jobs: - name: Load GitHub release token id: github-creds - uses: gittools/cicd/github-creds@v5 + uses: gittools/cicd/github-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - - uses: mislav/bump-homebrew-formula-action@v4 + - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4.1 name: Bump Homebrew formula with: formula-name: gitversion diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index 7b878553c1..fe6a611152 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -28,14 +28,19 @@ jobs: name: Update Markdown (embedded snippets) runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: gittools/cicd/checkout@v5 + uses: gittools/cicd/checkout@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} fetch-depth: 1 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json @@ -46,6 +51,6 @@ jobs: working-directory: ${{ github.workspace }}/docs/input - name: Commit and push markdown docs changes - uses: gittools/cicd/git-commit-push@v5 + uses: gittools/cicd/git-commit-push@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: message: "include markdown docs changes" diff --git a/.github/workflows/new-cli.yml b/.github/workflows/new-cli.yml index 3183ce0de0..22b9ef4b4b 100644 --- a/.github/workflows/new-cli.yml +++ b/.github/workflows/new-cli.yml @@ -40,11 +40,16 @@ jobs: runs-on: ubuntu-24.04 name: Build & Test (new-cli) steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup .NET SDK - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: global-json-file: global.json diff --git a/.github/workflows/public-api.yml b/.github/workflows/public-api.yml index 58a5205a72..76415f07c7 100644 --- a/.github/workflows/public-api.yml +++ b/.github/workflows/public-api.yml @@ -14,8 +14,13 @@ jobs: name: Mark public API as shipped runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: gittools/cicd/checkout@v5 + uses: gittools/cicd/checkout@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} fetch-depth: 0 @@ -24,6 +29,6 @@ jobs: run: ./src/mark-shipped.ps1 - name: Commit and push changes - uses: gittools/cicd/git-commit-push@v5 + uses: gittools/cicd/git-commit-push@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: message: "include public API changes" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a9599e401..952b24fe74 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,9 @@ on: release: types: [ published ] +permissions: + contents: read + jobs: release: name: Trigger ci flow @@ -10,8 +13,13 @@ jobs: permissions: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Get version id: get-version @@ -21,7 +29,7 @@ jobs: $TAG="${{ github.ref }}".Replace("refs/tags/", "") "tag=$TAG" >> $env:GITHUB_OUTPUT - - uses: peter-evans/repository-dispatch@v4 + - uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ github.token }} repository: ${{ github.repository }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..badd49d376 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,81 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 268a3c6c3f..ac6c6ccee4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,7 +13,12 @@ jobs: stale: runs-on: ubuntu-24.04 steps: - - uses: actions/stale@v10 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: operations-per-run: 100 # set 'stale' label diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml index 6a6852a5ac..47590f6f86 100644 --- a/.github/workflows/winget.yml +++ b/.github/workflows/winget.yml @@ -17,6 +17,11 @@ jobs: name: Bump winget manifest runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get version id: get-version shell: pwsh @@ -35,11 +40,11 @@ jobs: - name: Load GitHub release token id: github-creds - uses: gittools/cicd/github-creds@v5 + uses: gittools/cicd/github-creds@824c3d773fb5d1b00c26b474ae88b7ce9ae555ee # v5 with: op_service_account_token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} - - uses: michidk/run-komac@v2.1.0 + - uses: michidk/run-komac@9b27eadc6e9235c252444a437d246c139da2f57f # v2.1.0 env: GITHUB_TOKEN: ${{ steps.github-creds.outputs.github_release_token }} with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..d8562a434e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace