run through stepsecurity hardener (#73)

wallies · woodruffw · di · web-flow · commit c9b177b90495 · 2022-05-12T10:46:36.000-04:00
* run through stepsecurity hardener

Signed-off-by: Cam Parry &lt;cam.parry@kapiche.com&gt;

* remove harden runner

Signed-off-by: Cam Parry &lt;cam.parry@kapiche.com&gt;

* Update .github/workflows/scorecards-analysis.yml

Co-authored-by: William Woodruff &lt;william@trailofbits.com&gt;
Co-authored-by: Dustin Ingram &lt;di@users.noreply.github.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,8 +19,8 @@ jobs:
           - "3.10"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+      - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
         with:
           python-version: ${{ matrix.python }}
       - name: deps
@@ -31,7 +31,7 @@ jobs:
   licenses:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
       # adapted from Warehouse's bin/licenses
       - run: |
           for fn in $(find . -type f -name "*.py"); do
@@ -44,8 +44,8 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+      - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
       - name: deps
         run: make dev
       - name: lint
@@ -54,8 +54,8 @@ jobs:
   check-readme:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+      - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
       - name: deps
         run: make dev
       - name: check-readme
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,9 +14,9 @@ jobs:
     name: Build, sign and publish release to PyPI
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
 
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
 
     - name: deps
       run: python -m pip install -U build
@@ -39,7 +39,7 @@ jobs:
         done
 
     - name: publish
-      uses: pypa/gh-action-pypi-publish@master
+      uses: pypa/gh-action-pypi-publish@717ba43cfbb0387f6ce311b169a825772f54d295
       with:
         user: __token__
         password: ${{ secrets.PYPI_TOKEN }}
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -0,0 +1,56 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  workflow_dispatch: # Manual
+  branch_protection_rule:
+  schedule:
+    - cron: '30 4 * * 0'
+  push:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`,
+          # regardless of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional).
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@7502d6e991ca767d2db617bfd823a1ed925a0d59 # v1.0.26
+        with:
+          sarif_file: results.sarif
