diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 35c1867cb..3fb500d26 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -25,27 +25,32 @@ jobs: - "" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # https://github.com/dtolnay/rust-toolchain - name: Setup rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: toolchain: ${{ matrix.toolchain }} components: "rustfmt,clippy" # https://github.com/swatinem/rust-cache - - name: Run Swatinem/rust-cache@v2 + - name: Run Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 if: ${{ !env.ACT }} - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 with: cache-on-failure: true # https://github.com/Mozilla-Actions/sccache-action - name: Run sccache-action if: ${{ !env.ACT }} - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Set sccache env vars if: ${{ !env.ACT }} @@ -54,7 +59,7 @@ jobs: echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV - name: Install Foundry toolchain - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: nightly diff --git a/.github/workflows/checks_docker.yaml b/.github/workflows/checks_docker.yaml index bb0a6b9b8..a0f132ef2 100644 --- a/.github/workflows/checks_docker.yaml +++ b/.github/workflows/checks_docker.yaml @@ -7,23 +7,31 @@ on: push: branches: [main] +permissions: + contents: read + jobs: build-docker: name: Build Docker image runs-on: warp-ubuntu-latest-x64-32x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Docker QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker Build - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: cache-from: type=gha cache-to: type=gha,mode=max diff --git a/.github/workflows/docker_build.yaml b/.github/workflows/docker_build.yaml index 1e619ca3b..5cc389967 100644 --- a/.github/workflows/docker_build.yaml +++ b/.github/workflows/docker_build.yaml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 1 * * *" +permissions: + contents: read + jobs: extract-version: name: Extract version @@ -12,6 +15,11 @@ jobs: outputs: VERSION: ${{ steps.extract_version.outputs.VERSION }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Extract version id: extract_version run: | @@ -47,17 +55,22 @@ jobs: - target: linux/arm64 runner: warp-ubuntu-latest-arm64-16x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: docker qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: docker metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 id: meta with: images: ghcr.io/${{ github.repository }} @@ -67,14 +80,14 @@ jobs: type=schedule,pattern=nightly - name: docker login - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: docker build and push op-rbuilder - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: cache-from: type=gha cache-to: type=gha,mode=max diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d639bfc3d..ed2068aa6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,6 +31,9 @@ on: required: false type: choice +permissions: + contents: read + jobs: extract-version: name: Extract version @@ -38,6 +41,11 @@ jobs: outputs: VERSION: ${{ steps.extract_version.outputs.VERSION }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Extract version id: extract_version run: | @@ -81,6 +89,11 @@ jobs: - ${{ github.event.inputs.features || '' }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Install dependencies run: | apt-get update @@ -94,7 +107,7 @@ jobs: protobuf-compiler curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - - uses: actions/checkout@v4 # must install git before checkout and set safe.directory after checkout because of container + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build op-rbuilder binary run: | @@ -103,7 +116,7 @@ jobs: cargo build --release --features=${{ matrix.features }} --target ${{ matrix.configs.target }} --package op-rbuilder - name: Upload op-rbuilder artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: op-rbuilder-${{ needs.extract-version.outputs.VERSION }}-${{ matrix.configs.target }}${{ matrix.features && '-' }}${{ matrix.features }} path: target/${{ matrix.configs.target }}/release/op-rbuilder @@ -118,11 +131,16 @@ jobs: permissions: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: merge-multiple: true path: artifacts @@ -135,7 +153,7 @@ jobs: cat sha256sums.txt - name: Create release draft - uses: softprops/action-gh-release@v2.0.5 + uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5 id: create-release-draft with: draft: true @@ -168,17 +186,22 @@ jobs: - target: linux/arm64 runner: warp-ubuntu-latest-arm64-16x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: docker qemu - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: docker buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: docker metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 id: meta with: images: ghcr.io/${{ github.repository }} @@ -193,14 +216,14 @@ jobs: type=raw,value=latest,enable=${{ !contains(env.VERSION, '-') }} - name: docker login - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: docker build and push op-rbuilder - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: cache-from: type=gha cache-to: type=gha,mode=max