From 503bd828793446f504d5db8c9d0f29242742a20a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabr=C3=ADcio=20Godoy?= <skarllot@users.noreply.github.com>
Date: Wed, 16 Oct 2024 22:03:29 -0300
Subject: [PATCH] ci: Enforce pipeline security (#218)

- Restrict allowed network addresses
- Disable sudo
- Pinpoint NBGV version
- Run CodeQL for every pull request
---
 .config/dotnet-tools.json               | 14 ++++++++++++++
 .github/workflows/codeql.yml            | 19 +++++++++++++++++--
 .github/workflows/create-tag.yml        | 13 ++++++++++---
 .github/workflows/dependency-review.yml | 13 +++++++++----
 .github/workflows/dotnet.yml            | 16 +++++++++++++++-
 .github/workflows/package.yml           | 10 +++++++++-
 .github/workflows/scorecard.yml         | 14 +++++++++++++-
 7 files changed, 87 insertions(+), 12 deletions(-)
 create mode 100644 .config/dotnet-tools.json

diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
new file mode 100644
index 0000000..bb3a64f
--- /dev/null
+++ b/.config/dotnet-tools.json
@@ -0,0 +1,14 @@
+{
+    "version": 1,
+    "isRoot": true,
+    "tools": {
+      "nbgv": {
+        "version": "3.6.143",
+        "commands": [
+          "nbgv"
+        ],
+        "rollForward": false
+      }
+    }
+  }
+  
\ No newline at end of file
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ab82a54..d30e671 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,10 +17,15 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "main" ]
-    paths: [ "src/**", "tests/**", "docs/**", '.github/workflows/codeql.yml' ]
   schedule:
     - cron: '28 20 * * 1'
 
+env:
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: false
+  DOTNET_NOLOGO: true
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+
 permissions:
   contents: read
 
@@ -44,7 +49,17 @@ jobs:
     - name: 🛡️ Harden Runner
       uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          aka.ms:443
+          api.github.com:443
+          api.nuget.org:443
+          dotnetcli.azureedge.net:443
+          github.com:443
+          objects.githubusercontent.com:443
+          registry.npmjs.org:443
+          uploads.github.com:443
 
     - name: 🛒 Checkout repository
       uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml
index c6ba63b..536f813 100644
--- a/.github/workflows/create-tag.yml
+++ b/.github/workflows/create-tag.yml
@@ -7,6 +7,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: false
   DOTNET_NOLOGO: true
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
 
 permissions:
   contents: read
@@ -22,7 +23,13 @@ jobs:
     - name: 🛡️ Harden Runner
       uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          aka.ms:443
+          api.nuget.org:443
+          dotnetcli.azureedge.net:443
+          github.com:443
 
     - name: 🛒 Checkout
       uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
@@ -35,10 +42,10 @@ jobs:
         global-json-file: global.json
 
     - name: 🛠️ Setup Nerdbank.GitVersioning
-      run: dotnet tool install --tool-path . nbgv
+      run: dotnet tool restore
 
     - name: 🏷️ Tag release
-      run: ./nbgv tag
+      run: dotnet nbgv tag
 
     - name: 🚀 Push Git tags
       run: git push --tags
\ No newline at end of file
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 7b0990b..8c0b1fb 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -16,12 +16,17 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
+      - name: 🛡️ Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
 
-      - name: 'Checkout Repository'
+      - name: 🛒 Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
-      - name: 'Dependency Review'
+      - name: 🔍 Dependency Review
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
index 472de18..cc690f4 100644
--- a/.github/workflows/dotnet.yml
+++ b/.github/workflows/dotnet.yml
@@ -13,6 +13,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: false
   DOTNET_NOLOGO: true
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
 
 permissions:
   contents: read
@@ -26,7 +27,20 @@ jobs:
     - name: 🛡️ Harden Runner
       uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          aka.ms:443
+          api.codecov.io:443
+          api.nuget.org:443
+          auth.docker.io:443
+          cli.codecov.io:443
+          dotnetcli.azureedge.net:443
+          github.com:443
+          objects.githubusercontent.com:443
+          production.cloudflare.docker.com:443
+          registry-1.docker.io:443
+          storage.googleapis.com:443
 
     - name: 🛒 Checkout
       uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
index 40c3b34..f4bda28 100644
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@@ -8,6 +8,7 @@ env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: false
   DOTNET_NOLOGO: true
   DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
 
 permissions:
   contents: read
@@ -21,7 +22,14 @@ jobs:
       - name: 🛡️ Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            aka.ms:443
+            api.nuget.org:443
+            dotnetcli.azureedge.net:443
+            github.com:443
+            www.nuget.org:443
 
       - name: 🛒 Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 41dcbaa..1e77093 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -34,7 +34,19 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.scorecard.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
 
       - name: "Checkout code"
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1