actions/code-coverage-summary
1
0
Fork 0
mirror of https://github.com/irongut/CodeCoverageSummary.git synced 2026-05-21 09:20:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

merge PR #62 Implement StepSecurity Secure Workflows (policy)

Browse Source 
PR: Implement StepSecurity Secure Workflows (policy)
This commit is contained in:
irongut
2022-08-05 23:57:50 +01:00
committed by GitHub
parent 7c7e56f29d 74295b4928
commit 84eac7e593
7 changed files with 65 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/assign-to-project.yml
+3 -1
View File
@@ -22,7 +22,9 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Assign Issues to Bugs - name: Assign Issues to Bugs
uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
.github/workflows/auto-assign-pr.yml
+3 -1
View File
@@ -15,7 +15,9 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Auto Assign PR - name: Auto Assign PR
uses: samspills/assign-pr-to-author@b313feb250ff414d3aff26525b986f080ee7bd7a uses: samspills/assign-pr-to-author@b313feb250ff414d3aff26525b986f080ee7bd7a
.github/workflows/ci-build.yml
+12 -1
View File
@@ -9,6 +9,11 @@ on:
permissions: permissions:
contents: read contents: read
env:
DOTNET_NOLOGO: true # Disable the .NET logo in the console output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -18,7 +23,13 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
- name: Checkout - name: Checkout
uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
.github/workflows/codeql-scan.yml
+14 -1
View File
@@ -15,6 +15,11 @@ on:
permissions: # added using https://github.com/step-security/secure-workflows permissions: # added using https://github.com/step-security/secure-workflows
contents: read contents: read
env:
DOTNET_NOLOGO: true # Disable the .NET logo in the console output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze
@@ -34,7 +39,15 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
uploads.github.com:443
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
.github/workflows/mark-stale.yml
+3 -1
View File
@@ -19,7 +19,9 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Mark Stale - name: Mark Stale
uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8 uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8
.github/workflows/pr-labeler.yml
+3 -1
View File
@@ -21,7 +21,9 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
- uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935 - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
with: with:
.github/workflows/release-build.yml
+27 -6
View File
@@ -4,13 +4,16 @@ on:
release: release:
types: [published] types: [published]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
permissions: permissions:
contents: read contents: read
env:
DOTNET_NOLOGO: true # Disable the .NET logo in the console output
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs: jobs:
build: build:
name: Test Build name: Test Build
@@ -20,7 +23,13 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
- name: Checkout - name: Checkout
uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
@@ -55,7 +64,19 @@ jobs:
- name: Harden Runner - name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with: with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
auth.docker.io:443
fulcio.sigstore.dev:443
ghcr.io:443
github.com:443
mcr.microsoft.com:443
pipelines.actions.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
registry-1.docker.io:443
storage.googleapis.com:443
- name: Checkout - name: Checkout
uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf