diff --git a/.github/workflows/aliases.yml b/.github/workflows/aliases.yml deleted file mode 100644 index 583f108..0000000 --- a/.github/workflows/aliases.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Alias - -on: - workflow_dispatch: - push: - tags: - - "v[0-9]+.[0-9]+.[0-9]+" - -permissions: - contents: read # for checkout - -jobs: - release: - runs-on: ubuntu-latest - - permissions: - contents: write # to be able to publish a GitHub release - - steps: - - name: github auth - id: bot - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 - with: - app-id: ${{ secrets.GH_BOT_APP_ID }} - private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }} - - - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd - with: - github-token: ${{ steps.bot.outputs.token }} - script: | - const version = context.ref.replace('refs/tags/v', '') - const [major, minor, patch] = version.split('.') - - core.debug(`${context.ref} -> major: ${major}, minor: ${minor} patch" ${patch}`) - - for (const version of [major, `${major}.${minor}`]) { - // delete existing tag - await github.rest.git.deleteRef({ ...context.repo, ref: `tags/v${version}` }).catch(() => {}) - - // create new tag - await github.rest.git.createRef({ ...context.repo, ref: `refs/tags/v${version}` , sha: context.sha }) - } - - // create a release from major version and set as latest - await github.rest.repos.createRelease({ ...context.repo, tag_name: `v${major}`, make_latest: 'true' }) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1387ad8..3cfee0f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,19 +18,19 @@ jobs: # setup github auth with bot - name: github auth id: bot - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.GH_BOT_APP_ID }} private-key: ${{ secrets.GH_BOT_APP_PEM_FILE }} - name: checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - name: setup node - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version-file: package.json cache: npm diff --git a/README.md b/README.md index dc25fd1..dafa2f5 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,16 @@ This action can run in multiple modes: - [Socket Firewall: Enterprise](#socket-firewall-enterprise) - Socket CLI: _Coming soon_ +### Why We Recommend Pinning + +Socket is a security control, so the action that installs it should be pinned, too. We recommend pinning to an immutable commit SHA for the strongest supply-chain protection. If your organization prefers easier readability, pin to an immutable version tag instead. Either way, Dependabot can keep the reference current while preserving a human review gate. + ### Socket Firewall: Free Downloads and installs [Socket Firewall: Free](https://github.com/SocketDev/sfw-free) edition in your GitHub Action job, making it available to use in subsequent steps. +#### Most secure: pin to a commit SHA + ```yaml on: push @@ -25,9 +31,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: SocketDev/action@v1 + - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1 with: mode: firewall-free @@ -41,6 +47,49 @@ jobs: - run: sfw pip install -r requirements.txt ``` +#### Slightly less secure: pin to an immutable version tag + +```yaml +on: push + +jobs: + safe-install: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: SocketDev/action@v1.3.1 + with: + mode: firewall-free + + # javascript / typescript + - run: sfw npm install # or yarn, pnpm + + # rust + - run: sfw cargo fetch + + # python + - run: sfw pip install -r requirements.txt +``` + +#### Dependabot config + +```yaml +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 +``` + +Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo. + #### Inputs | Input | Description | Required | Default | @@ -61,6 +110,35 @@ jobs: Downloads and installs [Socket Firewall: Enterprise](https://github.com/SocketDev/firewall-release) edition in your GitHub Action job, making it available to use in subsequent steps as a wrapper. +#### Most secure: pin to a commit SHA + +```yaml +on: push + +jobs: + safe-install: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1 + with: + mode: firewall-enterprise + socket-token: ${{ secrets.SOCKET_API_KEY }} + + # javascript / typescript + - run: sfw npm install # or yarn, pnpm + + # rust + - run: sfw cargo fetch + + # python + - run: sfw pip install -r requirements.txt +``` + +#### Slightly less secure: pin to an immutable version tag + ```yaml on: push @@ -69,9 +147,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: SocketDev/action@v1 + - uses: SocketDev/action@v1.3.1 with: mode: firewall-enterprise socket-token: ${{ secrets.SOCKET_API_KEY }} @@ -86,6 +164,23 @@ jobs: - run: sfw pip install -r requirements.txt ``` +#### Dependabot config + +```yaml +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + semver-major-days: 14 + semver-minor-days: 7 + semver-patch-days: 3 +``` + +Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo. + #### Inputs | Input | Description | Required | Default |