diff --git a/.github/codeql/extensions/codeql-pack.yml b/.github/codeql/extensions/codeql-pack.yml index 8b1378917..e69de29bb 100644 --- a/.github/codeql/extensions/codeql-pack.yml +++ b/.github/codeql/extensions/codeql-pack.yml @@ -1 +0,0 @@ - diff --git a/.github/workflows/azure-webapps-node.yml b/.github/workflows/azure-webapps-node.yml index 54ac6dc18..89a443626 100644 --- a/.github/workflows/azure-webapps-node.yml +++ b/.github/workflows/azure-webapps-node.yml @@ -31,11 +31,16 @@ jobs: working-directory: ${{ env.APP_PATH }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODE_VERSION }} cache: npm @@ -67,7 +72,7 @@ jobs: ./ ../_deploy/ - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: node-app path: apps/_deploy @@ -86,8 +91,13 @@ jobs: url: ${{ steps.deploy.outputs.webapp-url }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Download build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: node-app path: . @@ -96,7 +106,7 @@ jobs: # Fallback shown here: existing publish profile secret - name: Deploy id: deploy - uses: azure/webapps-deploy@v3 + uses: azure/webapps-deploy@02a81bead70021f5284939794bcec79c271ab383 # v3.0.8 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml index 3d2a71b17..6b5ca1527 100644 --- a/.github/workflows/dependabot-auto-approve.yml +++ b/.github/workflows/dependabot-auto-approve.yml @@ -19,9 +19,14 @@ jobs: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Bryan-Roe/Aria' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 + uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-auto-label.yml b/.github/workflows/dependabot-auto-label.yml index 6aa617a17..b3f4186a8 100644 --- a/.github/workflows/dependabot-auto-label.yml +++ b/.github/workflows/dependabot-auto-label.yml @@ -16,9 +16,14 @@ jobs: if: github.event.pull_request.user.login == 'dependabot[bot]' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 + uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index f6182dbe9..842d538fd 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -18,9 +18,14 @@ jobs: if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Bryan-Roe/Aria' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 + uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/dependabot-fetch-metadata.yml b/.github/workflows/dependabot-fetch-metadata.yml index f408c76d4..18114fa9c 100644 --- a/.github/workflows/dependabot-fetch-metadata.yml +++ b/.github/workflows/dependabot-fetch-metadata.yml @@ -22,9 +22,14 @@ jobs: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Bryan-Roe/Aria' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Fetch Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0 + uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 64b0685e2..38e961430 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -23,11 +23,16 @@ jobs: timeout-minutes: 15 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.11" cache: "pip" diff --git a/.github/workflows/github_workflows_validate-workflows.yml b/.github/workflows/github_workflows_validate-workflows.yml index 2d9e97d3f..19b413cab 100644 --- a/.github/workflows/github_workflows_validate-workflows.yml +++ b/.github/workflows/github_workflows_validate-workflows.yml @@ -14,6 +14,11 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run actionlint - uses: raven-actions/actionlint@v2 + uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2.2.0 diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index 96a5d383d..768745957 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -31,8 +31,13 @@ jobs: runs-on: windows-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -46,11 +51,11 @@ jobs: # Run open source static analysis tools - name: Run OSSAR - uses: github/ossar-action@v1 + uses: github/ossar-action@786a16a90ba92b4ae6228fe7382fb16ef5c51000 # v1 id: ossar # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 197b001e7..ef4312eb7 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -272,6 +272,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Enforce required checks run: | set -euo pipefail diff --git a/tests/test_workflow_lint_blockers.py b/tests/test_workflow_lint_blockers.py index 72cfb1418..43975f115 100644 --- a/tests/test_workflow_lint_blockers.py +++ b/tests/test_workflow_lint_blockers.py @@ -5,7 +5,6 @@ import pytest import yaml - pytestmark = pytest.mark.unit diff --git a/tests/test_workflow_yamllint_regressions.py b/tests/test_workflow_yamllint_regressions.py index ca4e34e28..b743e90ab 100644 --- a/tests/test_workflow_yamllint_regressions.py +++ b/tests/test_workflow_yamllint_regressions.py @@ -5,7 +5,6 @@ import pytest import yaml - REPO_ROOT = Path(__file__).resolve().parents[1] @@ -54,8 +53,6 @@ def test_ossar_workflow_steps_and_branch_spacing_regression() -> None: def test_summary_workflow_has_no_trailing_whitespace() -> None: content = _read(".github/workflows/summary.yml") trailing_ws_lines = [ - line_number - for line_number, line in enumerate(content.splitlines(), start=1) - if line != line.rstrip(" \t") + line_number for line_number, line in enumerate(content.splitlines(), start=1) if line != line.rstrip(" \t") ] assert not trailing_ws_lines, f"Trailing whitespace found on lines: {trailing_ws_lines}"