Skip to content

Commit

Permalink
ci: Enforce pipeline security (#218)
Browse files Browse the repository at this point in the history 
- Restrict allowed network addresses
- Disable sudo
- Pinpoint NBGV version
- Run CodeQL for every pull request
  • Loading branch information
@skarllot
skarllot authored Oct 17, 2024
1 parent d241552 commit 503bd82
Show file tree
Hide file tree
Showing 7 changed files with 87 additions and 12 deletions.
14 changes: 14 additions & 0 deletions .config/dotnet-tools.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"version": 1,
"isRoot": true,
"tools": {
"nbgv": {
"version": "3.6.143",
"commands": [
"nbgv"
],
"rollForward": false
}
}
}

19 changes: 17 additions & 2 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,15 @@ on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
paths: [ "src/**", "tests/**", "docs/**", '.github/workflows/codeql.yml' ]
schedule:
- cron: '28 20 * * 1'

env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions:
contents: read

Expand All @@ -44,7 +49,17 @@ jobs:
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.github.com:443
api.nuget.org:443
dotnetcli.azureedge.net:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
uploads.github.com:443
- name: 🛒 Checkout repository
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/create-tag.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions:
contents: read
Expand All @@ -22,7 +23,13 @@ jobs:
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.nuget.org:443
dotnetcli.azureedge.net:443
github.com:443
- name: 🛒 Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand All @@ -35,10 +42,10 @@ jobs:
global-json-file: global.json

- name: 🛠️ Setup Nerdbank.GitVersioning
run: dotnet tool install --tool-path . nbgv
run: dotnet tool restore

- name: 🏷️ Tag release
run: ./nbgv tag
run: dotnet nbgv tag

- name: 🚀 Push Git tags
run: git push --tags
13 changes: 9 additions & 4 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,17 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.securityscorecards.dev:443
github.com:443
- name: 'Checkout Repository'
- name: 🛒 Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: 'Dependency Review'
- name: 🔍 Dependency Review
uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
16 changes: 15 additions & 1 deletion .github/workflows/dotnet.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions:
contents: read
Expand All @@ -26,7 +27,20 @@ jobs:
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.codecov.io:443
api.nuget.org:443
auth.docker.io:443
cli.codecov.io:443
dotnetcli.azureedge.net:443
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
storage.googleapis.com:443
- name: 🛒 Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_NOLOGO: true
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true

permissions:
contents: read
Expand All @@ -21,7 +22,14 @@ jobs:
- name: 🛡️ Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
aka.ms:443
api.nuget.org:443
dotnetcli.azureedge.net:443
github.com:443
www.nuget.org:443
- name: 🛒 Checkout
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,19 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout code"
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand Down

0 comments on commit 503bd82

Please sign in to comment.