mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-21 06:45:29 -06:00
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
This commit is contained in:
StepSecurity Bot
Topi Miettinen
parent
b3671db0b3
commit
d8a5f385bf
4 changed files with 51 additions and 0 deletions
23
.github/workflows/build-extra.yml
vendored
23
.github/workflows/build-extra.yml
vendored
|
|
@ -32,10 +32,18 @@ on:
|
|||
- '.github/ISSUE_TEMPLATE/*'
|
||||
- '.github/pull_request_template.md'
|
||||
|
||||
permissions: # added using https://github.com/step-security/secure-workflows
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-clang:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: install dependencies
|
||||
run: sudo apt-get install libapparmor-dev libselinux1-dev
|
||||
|
|
@ -50,6 +58,11 @@ jobs:
|
|||
scan-build:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: install clang-tools-14 and dependencies
|
||||
run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
|
||||
|
|
@ -60,6 +73,11 @@ jobs:
|
|||
cppcheck:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: install cppcheck
|
||||
run: sudo apt-get install cppcheck
|
||||
|
|
@ -70,6 +88,11 @@ jobs:
|
|||
cppcheck_old:
|
||||
runs-on: ubuntu-20.04
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: install cppcheck
|
||||
run: sudo apt-get install cppcheck
|
||||
|
|
|
|||
8
.github/workflows/build.yml
vendored
8
.github/workflows/build.yml
vendored
|
|
@ -24,10 +24,18 @@ on:
|
|||
- RELNOTES
|
||||
- SECURITY.md
|
||||
|
||||
permissions: # added using https://github.com/step-security/secure-workflows
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build_and_test:
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: update package information
|
||||
run: sudo apt-get update
|
||||
|
|
|
|||
12
.github/workflows/codeql-analysis.yml
vendored
12
.github/workflows/codeql-analysis.yml
vendored
|
|
@ -34,8 +34,15 @@ on:
|
|||
schedule:
|
||||
- cron: '0 7 * * 2'
|
||||
|
||||
permissions: # added using https://github.com/step-security/secure-workflows
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
permissions:
|
||||
actions: read # for github/codeql-action/init to get workflow details
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for github/codeql-action/autobuild to send a status report
|
||||
name: Analyze
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
|
|
@ -48,6 +55,11 @@ jobs:
|
|||
# https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
|
||||
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
|
||||
|
|
|
|||
8
.github/workflows/profile-checks.yml
vendored
8
.github/workflows/profile-checks.yml
vendored
|
|
@ -16,10 +16,18 @@ on:
|
|||
- 'src/firecfg/firecfg.config'
|
||||
- 'contrib/sort.py'
|
||||
|
||||
permissions: # added using https://github.com/step-security/secure-workflows
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
profile-checks:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
|
||||
with:
|
||||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||
|
||||
- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
|
||||
- name: sort.py
|
||||
run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue