From 0daec68e8361f6dd35b8363cf539b7ff8983c203 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabr=C3=ADcio=20Godoy?= Date: Wed, 16 Oct 2024 22:07:58 -0300 Subject: [PATCH] ci: Improve pipeline security (#346) - Pinpoint NBGV version - Remove unused configure-pages action - Give write permission only to deploy-pages action - Run CodeQL for every pull request --- .config/dotnet-tools.json | 10 +++++++++- .github/workflows/codeql.yml | 1 - .github/workflows/create-tag.yml | 4 ++-- .github/workflows/docs.yml | 8 +++----- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index b06f46f9..929eb402 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -6,7 +6,15 @@ "version": "4.0.6", "commands": [ "dotnet-stryker" - ] + ], + "rollForward": false + }, + "nbgv": { + "version": "3.6.143", + "commands": [ + "nbgv" + ], + "rollForward": false } } } diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bf6f8653..b00f74b5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -17,7 +17,6 @@ on: pull_request: # The branches below must be a subset of the branches above branches: [ "main" ] - paths: [ "src/**", "tests/**", "docs/**", '.github/workflows/codeql.yml' ] schedule: - cron: '28 20 * * 1' diff --git a/.github/workflows/create-tag.yml b/.github/workflows/create-tag.yml index c889dc11..bef47491 100644 --- a/.github/workflows/create-tag.yml +++ b/.github/workflows/create-tag.yml @@ -41,10 +41,10 @@ jobs: global-json-file: global.json - name: 🛠️ Setup Nerdbank.GitVersioning - run: dotnet tool install --tool-path . nbgv + run: dotnet tool restore - name: 🏷️ Tag release - run: ./nbgv tag + run: dotnet nbgv tag - name: 🚀 Push Git tags run: git push --tags \ No newline at end of file diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c8b11e07..0a31608a 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -8,11 +8,8 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -48,8 +45,6 @@ jobs: node-version: 20 cache: npm cache-dependency-path: docs/package-lock.json - - name: 🌐 Setup Pages - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: 📥 Install dependencies run: npm ci - name: 🏗️ Build with VitePress @@ -68,6 +63,9 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} needs: build runs-on: ubuntu-latest + permissions: + pages: write # to deploy to Pages + id-token: write # to verify the deployment originates from an appropriate source name: Deploy steps: - name: 🛡️ Harden Runner