From 75ec301e0c810486e92686b035aab1ad386d8ddd Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Tue, 21 May 2024 14:36:39 -0400 Subject: [PATCH 1/2] update security checks --- .github/workflows/docker-testing.yml | 9 +++--- .github/workflows/main.yml | 44 +++++++++++++++++++++------- README.rst | 2 +- 3 files changed, 39 insertions(+), 16 deletions(-) diff --git a/.github/workflows/docker-testing.yml b/.github/workflows/docker-testing.yml index 2b09fabf..b02ecb68 100644 --- a/.github/workflows/docker-testing.yml +++ b/.github/workflows/docker-testing.yml @@ -11,9 +11,10 @@ jobs: name: Build Docker image runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: docker/setup-buildx-action@v3 - - uses: docker/build-push-action@v4 + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 with: context: . file: "Dockerfile" @@ -22,7 +23,7 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max push: false - - uses: addnab/docker-run-action@v3 + - uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3.0.0 with: image: localpytest:latest options: -p 9099:9099 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9df33555..667a1aee 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,7 +3,7 @@ name: raven-wps Testing on: push: branches: - - master + - main pull_request: env: @@ -14,6 +14,9 @@ concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} +permissions: + contents: read + jobs: black: name: Code linting @@ -22,12 +25,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 with: - egress-policy: audit - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Set up Python${{ matrix.python-version }} + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.x" - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 conda: name: Conda (Python${{ matrix.python-version }}; ${{ matrix.os }}) @@ -46,16 +56,28 @@ jobs: - "3.11" - "3.12" include: - - os: macos-latest + - os: "macos-latest" python-version: "3.10" steps: - name: Harden Runner uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 with: - egress-policy: audit - - uses: actions/checkout@v4 + disable-sudo: true + egress-policy: block + allowed-endpoints: > + cdn.proj.org:443 + conda.anaconda.org:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pavics.ouranos.ca:443 + pypi.org:443 + raw.githubusercontent.com:443 + repo.anaconda.com:443 + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }} - uses: mamba-org/setup-micromamba@v1 + uses: mamba-org/setup-micromamba@422500192359a097648154e8db4e39bdb6c6eed7 # v1.8.1 with: cache-downloads: true cache-environment: true @@ -64,8 +86,8 @@ jobs: python=${{ matrix.python-version }} - name: Conda and Mamba versions run: | - conda --version - echo "micromamba: $(micromamba --version)" + conda --version + echo "micromamba: $(micromamba --version)" - name: Install RavenWPS run: | python -m pip install --no-user --editable ".[dev]" diff --git a/README.rst b/README.rst index a157f2b2..684731a5 100644 --- a/README.rst +++ b/README.rst @@ -10,7 +10,7 @@ Raven : Hydrological modeling and analytics :alt: Build status .. image:: https://img.shields.io/github/license/Ouranosinc/raven.svg - :target: https://github.com/Ouranosinc/raven/blob/master/LICENSE.txt + :target: https://github.com/Ouranosinc/raven/blob/main/LICENSE.txt :alt: GitHub license .. image:: https://badges.gitter.im/bird-house/birdhouse.svg From 2be4879bdcf7f250c21f89a9785996b09485d03b Mon Sep 17 00:00:00 2001 From: Trevor James Smith <10819524+Zeitsperre@users.noreply.github.com> Date: Thu, 23 May 2024 09:47:12 -0400 Subject: [PATCH 2/2] Update docker-testing.yml --- .github/workflows/docker-testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-testing.yml b/.github/workflows/docker-testing.yml index b02ecb68..86c79a13 100644 --- a/.github/workflows/docker-testing.yml +++ b/.github/workflows/docker-testing.yml @@ -3,7 +3,7 @@ name: Docker-based Testing Suite on: push: branches: - - master + - main pull_request: jobs: