Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/codeql/extensions/codeql-pack.yml
Original file line number Diff line number Diff line change
@@ -1 +0,0 @@

20 changes: 15 additions & 5 deletions .github/workflows/azure-webapps-node.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,16 @@ jobs:
working-directory: ${{ env.APP_PATH }}

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand Down Expand Up @@ -67,7 +72,7 @@ jobs:
./ ../_deploy/

- name: Upload artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: node-app
path: apps/_deploy
Expand All @@ -86,8 +91,13 @@ jobs:
url: ${{ steps.deploy.outputs.webapp-url }}

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Download build artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: node-app
path: .
Expand All @@ -96,7 +106,7 @@ jobs:
# Fallback shown here: existing publish profile secret
- name: Deploy
id: deploy
uses: azure/webapps-deploy@v3
uses: azure/webapps-deploy@02a81bead70021f5284939794bcec79c271ab383 # v3.0.8
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }}
publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependabot-auto-approve.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,14 @@ jobs:
github.event.pull_request.user.login == 'dependabot[bot]' &&
github.repository == 'Bryan-Roe/Aria'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependabot-auto-label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,14 @@ jobs:
if: github.event.pull_request.user.login == 'dependabot[bot]'

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,14 @@ jobs:
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'Bryan-Roe/Aria'

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7
uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/dependabot-fetch-metadata.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,14 @@ jobs:
github.event.pull_request.user.login == 'dependabot[bot]' &&
github.repository == 'Bryan-Roe/Aria'
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"

Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,16 @@ jobs:
timeout-minutes: 15

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Setup Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: "3.11"
cache: "pip"
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/github_workflows_validate-workflows.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ jobs:
actionlint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Run actionlint
uses: raven-actions/actionlint@v2
uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2.2.0
11 changes: 8 additions & 3 deletions .github/workflows/ossar.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,13 @@ jobs:
runs-on: windows-latest

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

# Ensure a compatible version of dotnet is installed.
# The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201.
Expand All @@ -46,11 +51,11 @@ jobs:

# Run open source static analysis tools
- name: Run OSSAR
uses: github/ossar-action@v1
uses: github/ossar-action@786a16a90ba92b4ae6228fe7382fb16ef5c51000 # v1
id: ossar

# Upload results to the Security tab
- name: Upload OSSAR results
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@02c5e83432fe5497fd85b873b6c9f16a8578e1d9 # v3.37.0
with:
sarif_file: ${{ steps.ossar.outputs.sarifFile }}
5 changes: 5 additions & 0 deletions .github/workflows/pr-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,11 @@ jobs:
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: audit

- name: Enforce required checks
run: |
set -euo pipefail
Expand Down
1 change: 0 additions & 1 deletion tests/test_workflow_lint_blockers.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
import pytest
import yaml


pytestmark = pytest.mark.unit


Expand Down
5 changes: 1 addition & 4 deletions tests/test_workflow_yamllint_regressions.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
import pytest
import yaml


REPO_ROOT = Path(__file__).resolve().parents[1]


Expand Down Expand Up @@ -54,8 +53,6 @@ def test_ossar_workflow_steps_and_branch_spacing_regression() -> None:
def test_summary_workflow_has_no_trailing_whitespace() -> None:
content = _read(".github/workflows/summary.yml")
trailing_ws_lines = [
line_number
for line_number, line in enumerate(content.splitlines(), start=1)
if line != line.rstrip(" \t")
line_number for line_number, line in enumerate(content.splitlines(), start=1) if line != line.rstrip(" \t")
]
assert not trailing_ws_lines, f"Trailing whitespace found on lines: {trailing_ws_lines}"
Loading