Update step-security/harden-runner action to v2.9.1 #615
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build, Analyze and Test" | |
| on: [ push, pull_request ] | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: 21 | |
| - name: Dependency Review | |
| if: github.event_name == 'pull_request' | |
| uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4 | |
| - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 | |
| with: | |
| path: ~/.m2/repository | |
| key: ${{ runner.os }}-maven | |
| restore-keys: | | |
| ${{ runner.os }}-maven | |
| - name: Collect dependencies | |
| run: | | |
| ./mvnw dependency:go-offline --batch-mode | |
| ./mvnw verify --fail-never --batch-mode | |
| - name: Build | |
| run: ./mvnw clean install --batch-mode | |
| - name: Build native | |
| run: ./mvnw clean install -Pnative --batch-mode | |
| - name: Run help | |
| run: target/github-stats-*-runner help | |
| - name: Upload target | |
| uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 | |
| with: | |
| name: target | |
| path: target/ | |
| if-no-files-found: error | |
| - name: Upload runner binary | |
| uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 | |
| with: | |
| name: runner | |
| path: target/github-stats-*-runner | |
| if-no-files-found: error | |
| - name: Generate hashes | |
| shell: bash | |
| id: hash | |
| run: | | |
| echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - name: Get image tags | |
| id: image_tags | |
| uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4 | |
| with: | |
| IMAGE_CONTEXT_DIR: src/main/docker | |
| - name: Build image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
| with: | |
| dockerfiles: src/main/docker/Dockerfile.native | |
| image: github-stats | |
| oci: true | |
| tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" | |
| - name: Push to ghcr.io | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| id: push_image | |
| with: | |
| image: ${{ steps.build_image.outputs.image }} | |
| registry: ghcr.io/${{ github.repository }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| tags: ${{ steps.build_image.outputs.tags }} | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" | |
| image_digest: "${{ steps.push_image.outputs.digest }}" | |
| image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" | |
| analyze: | |
| needs: [ build ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: 21 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | |
| with: | |
| languages: java | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | |
| with: | |
| category: "/language:java" | |
| - name: Submit Dependency Snapshot | |
| uses: advanced-security/maven-dependency-submission-action@bb3f7338b5bd0e3b225d8082e26b7b6289e17ef3 # v4 | |
| test: | |
| needs: [ build ] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Download target | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: target | |
| - name: Make github-stats-*-runner executable | |
| run: chmod +x github-stats-*-runner | |
| - name: Run 'collect-stats' for UKI | |
| env: | |
| GITHUB_LOGIN: ${{ github.repository_owner }} | |
| GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
| run: | | |
| touch /tmp/stats.csv | |
| ./github-stats-*-runner stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400 | |
| - name: Run 'collect-members-from-ldap' for UKI | |
| env: | |
| GITHUB_LOGIN: ${{ github.repository_owner }} | |
| GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
| run: | | |
| touch /tmp/members.csv | |
| ./github-stats-*-runner users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false | |
| - name: Run 'create-who-are-you-issues' for UKI | |
| env: | |
| GITHUB_LOGIN: ${{ github.repository_owner }} | |
| GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
| run: ./github-stats-*-runner users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false | |
| - name: Upload /tmp/*.csv | |
| uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 | |
| with: | |
| name: outputs.csv | |
| path: /tmp/*.csv | |
| if-no-files-found: error | |
| - name: Run create-who-are-you-issues for UKI | |
| env: | |
| GITHUB_LOGIN: ${{ github.repository_owner }} | |
| GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
| run: ./github-stats-*-runner users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false | |
| sign-image: | |
| needs: [ build ] | |
| permissions: | |
| id-token: write | |
| packages: write | |
| if: startsWith(github.ref, 'refs/tags/') | |
| env: | |
| image_uri: ${{ needs.build.outputs.image_uri }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 | |
| - name: Cosign login | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io | |
| - name: Sign Image | |
| run: | | |
| cosign sign --yes ${image_uri} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| env: | |
| TRIVY_USERNAME: ${{ github.repository_owner }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| scan-type: image | |
| image-ref: ${{ env.image_uri }} | |
| format: "cosign-vuln" | |
| output: "cosign-vuln.json" | |
| - name: Run Trivy SBOM generator | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| env: | |
| TRIVY_USERNAME: ${{ github.repository_owner }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| scan-type: image | |
| image-ref: ${{ env.image_uri }} | |
| format: "spdx-json" | |
| output: "spdx-json.json" | |
| - name: Attach attestations | |
| run: | | |
| cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri} | |
| cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri} | |
| provenance_binary: | |
| needs: [ build ] | |
| if: startsWith(github.ref, 'refs/tags/') | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.hashes }}" | |
| upload-assets: true | |
| provenance_image: | |
| needs: [ build ] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
| with: | |
| image: ${{ needs.build.outputs.image_repo }} | |
| digest: ${{ needs.build.outputs.image_digest }} | |
| registry-username: ${{ github.repository_owner }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| release: | |
| needs: [ build ] | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download runner | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
| with: | |
| name: runner | |
| - name: Upload assets to release | |
| uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 | |
| with: | |
| files: | | |
| github-stats-*-runner |