From 0b88815d3c2e859c9a99ceb207220dcdd8d59e0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Mon, 8 Apr 2024 13:45:04 +0200 Subject: [PATCH 1/4] Add dependabot for automated dependency updates Dependabot will perform weekly checks of the Github actions used in CI. When a newer version is found a pull request is opened to suggest a lift. --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..05d9265 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# Automated dependency updates. +# +# For configuration options see: +# https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 From ee0381a0eba593921af5a237f675df5139489e23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Mon, 8 Apr 2024 13:46:51 +0200 Subject: [PATCH 2/4] Pin versions of Github actions in CI Version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed. Includes version lift of: - actions/checkout - coverallsapp/github-action --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/coverity.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 90adbd6..4fb671b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,7 +9,7 @@ jobs: run: | sudo apt update -qq sudo apt install -qq check lcov - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build run: | ./autogen.sh @@ -23,7 +23,7 @@ jobs: run: lcov --capture -d '.' --exclude '/usr*' -o coverage.info - name: Upload coverage if: github.repository == 'c9s/r3' - uses: coverallsapp/github-action@1.1.3 + uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} path-to-lcov: coverage.info @@ -35,7 +35,7 @@ jobs: run: | sudo apt update -qq sudo apt install -qq check ninja-build - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build and test run: | mkdir build && cd build @@ -56,7 +56,7 @@ jobs: run: | sudo apt update -qq sudo apt install -qq check - - uses: actions/checkout@v2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Build env: CC: ${{ matrix.compiler }} diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 7ba136d..4361996 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -9,12 +9,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Prepare run: | ./autogen.sh ./configure --enable-check - - uses: vapier/coverity-scan-action@v1 + - uses: vapier/coverity-scan-action@2068473c7bdf8c2fb984a6a40ae76ee7facd7a85 # v1.8.0 with: project: r3 email: yoanlin93+github@gmail.com From 9d75e6c1119d39de7948b74b57a40a391bcb6768 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Mon, 8 Apr 2024 13:49:57 +0200 Subject: [PATCH 3/4] Set read-only permission for Github Actions in CI This sets the default permission for CI workflows to only be able to read from the repository (scope: "contents"). A compromised action will not be able to modify the repo or even steal secrets since all other permission-scopes are implicit set to "none", i.e. not permitted. More about permissions and scope can be found here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions --- .github/workflows/ci.yml | 3 +++ .github/workflows/coverity.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4fb671b..fe02b75 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,9 @@ name: ci on: [push, pull_request] +permissions: + contents: read + jobs: autotools: runs-on: ubuntu-latest diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 4361996..f5feece 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -3,6 +3,9 @@ on: push: branches: [2.0] +permissions: + contents: read + jobs: analyze: if: github.repository == 'c9s/r3' From c38bf93720cbe2a57da136aca9e8ab8aa3516537 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Mon, 8 Apr 2024 14:50:58 +0200 Subject: [PATCH 4/4] Update coveralls options required in v2 Option 'path-to-lcov' is deprecated, using 'file' instead. Using option 'format' to set coverage report format. --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe02b75..ce8e90d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,8 @@ jobs: uses: coverallsapp/github-action@3dfc5567390f6fa9267c0ee9c251e4c8c3f18949 # v2.2.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} - path-to-lcov: coverage.info + file: coverage.info + format: lcov cmake: runs-on: ubuntu-latest