From 73ae8cff79a5236f22c9e52fb7fc29ff0e0f046c Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 9 Jun 2025 17:52:37 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/actionlint.yml | 7 +++-- .github/workflows/changeset.yml | 2 +- .github/workflows/checks.yml | 22 +++++++------- .github/workflows/docs.yml | 2 +- .github/workflows/formal-verification.yml | 12 ++++---- .github/workflows/release-cycle.yml | 35 ++++++++++++----------- .github/workflows/upgradeable.yml | 2 +- 7 files changed, 44 insertions(+), 38 deletions(-) diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index 3e42c8a269f..daf87cfa27c 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -5,14 +5,17 @@ on: paths: - '.github/**/*.ya?ml' +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Add problem matchers run: | # https://github.com/rhysd/actionlint/blob/3a2f2c7/docs/usage.md#problem-matchers curl -LO https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json echo "::add-matcher::actionlint-matcher.json" - - uses: docker://rhysd/actionlint:latest + - uses: docker://rhysd/actionlint:latest@sha256:1d74bfc9fd1963af8f89a7c22afaaafd42f49aad711a09951d02cb996398f61d diff --git a/.github/workflows/changeset.yml b/.github/workflows/changeset.yml index efc5c5347b7..6df210b7f55 100644 --- a/.github/workflows/changeset.yml +++ b/.github/workflows/changeset.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest if: ${{ !contains(github.event.pull_request.labels.*.name, 'ignore-changeset') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Include history so Changesets finds merge-base - name: Set up environment diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 6aca7f30cb4..8b0f59ae3ca 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -20,7 +20,7 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - run: npm run lint @@ -34,7 +34,7 @@ jobs: CI: true GAS: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - name: Run tests and generate gas report @@ -55,7 +55,7 @@ jobs: env: FORCE_COLOR: 1 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Include history so patch conflicts are resolved automatically - name: Set up environment @@ -81,7 +81,7 @@ jobs: tests-foundry: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - name: Set up environment @@ -92,19 +92,19 @@ jobs: coverage: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - name: Run coverage run: npm run coverage - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} harnesses: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - name: Compile harnesses @@ -115,17 +115,17 @@ jobs: slither: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - - uses: crytic/slither-action@v0.4.1 + - uses: crytic/slither-action@4fd765aeef19915d04ddf0be90c2930036a774d8 # v0.4.1 codespell: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run CodeSpell - uses: codespell-project/actions-codespell@v2.1 + uses: codespell-project/actions-codespell@406322ec52dd7b488e48c1c4b82e2a8b3a1bf630 # v2.1 with: check_hidden: true check_filenames: true diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 04b8131cbcb..d505c855657 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -11,7 +11,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - run: bash scripts/git-user-config.sh diff --git a/.github/workflows/formal-verification.yml b/.github/workflows/formal-verification.yml index 86acca7f32b..b03b264c26d 100644 --- a/.github/workflows/formal-verification.yml +++ b/.github/workflows/formal-verification.yml @@ -20,7 +20,7 @@ jobs: apply-diff: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Apply patches run: make -C certora apply @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-latest if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'formal-verification') steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up environment @@ -44,7 +44,7 @@ jobs: fi echo "result=$RESULT" >> "$GITHUB_OUTPUT" - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.PIP_VERSION }} cache: 'pip' @@ -52,7 +52,7 @@ jobs: - name: Install python packages run: pip install -r fv-requirements.txt - name: Install java - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: temurin java-version: ${{ env.JAVA_VERSION }} @@ -71,11 +71,11 @@ jobs: halmos: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - name: Install python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.PIP_VERSION }} cache: 'pip' diff --git a/.github/workflows/release-cycle.yml b/.github/workflows/release-cycle.yml index 02d5478336d..8a32f55b1b4 100644 --- a/.github/workflows/release-cycle.yml +++ b/.github/workflows/release-cycle.yml @@ -20,6 +20,9 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: + contents: read + jobs: state: name: Check state @@ -27,12 +30,12 @@ jobs: pull-requests: read runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - id: state name: Get state - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: TRIGGERING_ACTOR: ${{ github.triggering_actor }} with: @@ -58,7 +61,7 @@ jobs: if: needs.state.outputs.start == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - run: bash scripts/git-user-config.sh @@ -66,7 +69,7 @@ jobs: name: Create branch with release candidate run: bash scripts/release/workflow/start.sh - name: Re-run workflow - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: REF: ${{ steps.start.outputs.branch }} with: @@ -81,7 +84,7 @@ jobs: if: needs.state.outputs.promote == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - run: bash scripts/git-user-config.sh @@ -89,7 +92,7 @@ jobs: if: needs.state.outputs.is_prerelease == 'true' run: bash scripts/release/workflow/exit-prerelease.sh - name: Re-run workflow - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: await require('./scripts/release/workflow/rerun.js')({ github, context }) @@ -102,18 +105,18 @@ jobs: if: needs.state.outputs.changesets == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # To get all tags - name: Set up environment uses: ./.github/actions/setup - name: Set release title - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: result-encoding: string script: await require('./scripts/release/workflow/set-changesets-pr-title.js')({ core }) - name: Create PR - uses: changesets/action@v1 + uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PRERELEASE: ${{ needs.state.outputs.is_prerelease }} @@ -135,7 +138,7 @@ jobs: if: needs.state.outputs.publish == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up environment uses: ./.github/actions/setup - id: pack @@ -144,7 +147,7 @@ jobs: env: PRERELEASE: ${{ needs.state.outputs.is_prerelease }} - name: Upload tarball artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: ${{ github.ref_name }} path: ${{ steps.pack.outputs.tarball }} @@ -156,7 +159,7 @@ jobs: TAG: ${{ steps.pack.outputs.tag }} NPM_CONFIG_PROVENANCE: true - name: Create Github Release - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: PRERELEASE: ${{ needs.state.outputs.is_prerelease }} with: @@ -169,10 +172,10 @@ jobs: name: Tarball Integrity Check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download tarball artifact id: artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ github.ref_name }} - name: Check integrity @@ -191,7 +194,7 @@ jobs: env: MERGE_BRANCH: merge/${{ github.ref_name }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # All branches - name: Set up environment @@ -202,7 +205,7 @@ jobs: git checkout -B "$MERGE_BRANCH" "$GITHUB_REF_NAME" git push -f origin "$MERGE_BRANCH" - name: Create PR back to master - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | await github.rest.pulls.create({ diff --git a/.github/workflows/upgradeable.yml b/.github/workflows/upgradeable.yml index 46bf15a4ea3..3a3af3198e3 100644 --- a/.github/workflows/upgradeable.yml +++ b/.github/workflows/upgradeable.yml @@ -11,7 +11,7 @@ jobs: environment: push-upgradeable runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: OpenZeppelin/openzeppelin-contracts-upgradeable fetch-depth: 0