From 7cefa7a9323a4c2b8ae8a913fc4e4aa0c45da952 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 15 May 2026 00:11:25 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/changelog-for-all.yml | 29 +++-- .github/workflows/cleanup.yaml | 14 ++- .../complete-artifact-one-by-one.yml | 7 +- .github/workflows/delete-old-releases.yml | 5 + .github/workflows/download-update.yml | 35 +++++- .github/workflows/enable-hetzner-runners.yml | 31 +++++- .github/workflows/external.yml | 7 +- .../workflows/full-distro-build-and-test.yml | 24 ++-- .github/workflows/labeler.yml | 9 +- .github/workflows/labels-from-yml.yml | 15 ++- .github/workflows/live-patch.yml | 18 ++- .github/workflows/recreate-matrix.yml | 11 +- .github/workflows/redirector-update.yml | 104 +++++++++++++++--- .github/workflows/repository-sync.yml | 26 ++++- .github/workflows/repository-update.yml | 46 ++++++-- .github/workflows/scorecards.yml | 81 ++++++++++++++ .github/workflows/smoke-tests.yml | 7 +- .github/workflows/test.yml | 10 +- .github/workflows/watchdog.yml | 8 ++ .github/workflows/webindex-update.yml | 20 +++- 20 files changed, 435 insertions(+), 72 deletions(-) create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/changelog-for-all.yml b/.github/workflows/changelog-for-all.yml index 55e3e5c01fa..9038bff0015 100644 --- a/.github/workflows/changelog-for-all.yml +++ b/.github/workflows/changelog-for-all.yml @@ -18,8 +18,13 @@ jobs: matrix: ${{steps.json.outputs.JSON_CONTENT}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/os fetch-depth: 0 @@ -52,6 +57,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "URL=${{ matrix.source }} Branch=${{ matrix.branch }} SHA=${{ matrix.sha1 }}" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -118,7 +128,7 @@ jobs: fi - name: Upload resoults - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: ${{ matrix.sha1 }} path: artifact @@ -130,25 +140,30 @@ jobs: timeout-minutes: 60 runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "merged" - uses: actions/upload-artifact/merge@v7 + uses: actions/upload-artifact/merge@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: delete-merged: true - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: merged-artifacts - name: Display structure of downloaded files run: find -name "*.txt" -exec cat {} \; | sort >> $GITHUB_STEP_SUMMARY - - uses: geekyeggo/delete-artifact@v6 + - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0 with: name: merged-artifacts failOnError: false - name: "Checkout OS repository to get latest tag" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/os fetch-depth: 0 @@ -181,7 +196,7 @@ jobs: ## What's was changed in past week?" > body.html find -name "*.txt" -exec cat {} \; >> body.html - - uses: ncipollo/release-action@v1 + - uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: owner: 'armbian' repo: 'build' diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml index cba6bd70747..ca4c8469d7f 100644 --- a/.github/workflows/cleanup.yaml +++ b/.github/workflows/cleanup.yaml @@ -15,8 +15,13 @@ jobs: outputs: matrix: ${{steps.json.outputs.JSON_CONTENT}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Checkout Armbian build Framework" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/build ref: ${{ inputs.ref || inputs.branch || 'main' }} @@ -53,5 +58,10 @@ jobs: steps: # Cleaning self hosted runners + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Runner clean - uses: armbian/actions/runner-clean@main + uses: armbian/actions/runner-clean@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main diff --git a/.github/workflows/complete-artifact-one-by-one.yml b/.github/workflows/complete-artifact-one-by-one.yml index 255e9d2971d..561130145be 100644 --- a/.github/workflows/complete-artifact-one-by-one.yml +++ b/.github/workflows/complete-artifact-one-by-one.yml @@ -382,7 +382,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: armbian/build@v26.2.1 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - uses: armbian/build@efb4c684c67cde3b2ba484a5b9e1bb1ab3d7eee6 # v26.2.1 with: armbian_token: "${{secrets.GITHUB_TOKEN}}" armbian_target: "${{inputs.armbian_target}}" diff --git a/.github/workflows/delete-old-releases.yml b/.github/workflows/delete-old-releases.yml index d12c6ce43f4..f2ad68b7fe6 100644 --- a/.github/workflows/delete-old-releases.yml +++ b/.github/workflows/delete-old-releases.yml @@ -9,6 +9,11 @@ jobs: clean_releases: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Delete old releases env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/download-update.yml b/.github/workflows/download-update.yml index 9b22e56d415..6387c5ae118 100644 --- a/.github/workflows/download-update.yml +++ b/.github/workflows/download-update.yml @@ -25,8 +25,13 @@ jobs: runs-on: [Linux, X64] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -40,6 +45,11 @@ jobs: runs-on: [Linux, X64] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -66,8 +76,13 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -92,6 +107,11 @@ jobs: needs: Sync steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Cleaning run: | [[ "${{ inputs.PURGE }}" == yes ]] && rm -rf /storage/incoming/* || true @@ -103,15 +123,20 @@ jobs: runs-on: [Linux, X64] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Run webindex update action" - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.DISPATCH }} repository: armbian/os event-type: "Webindex update" - name: "Run redirector update action" - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.DISPATCH }} repository: armbian/os @@ -119,7 +144,7 @@ jobs: # # - name: Repository Dispatch -# uses: peter-evans/repository-dispatch@v4 +# uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 # with: # token: ${{ secrets.DISPATCH }} # repository: 'armbian/os' diff --git a/.github/workflows/enable-hetzner-runners.yml b/.github/workflows/enable-hetzner-runners.yml index ce74ce0c88a..a956fb87d5a 100644 --- a/.github/workflows/enable-hetzner-runners.yml +++ b/.github/workflows/enable-hetzner-runners.yml @@ -56,8 +56,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -71,6 +76,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Delete dangling cloud runners" run: | for runner in $(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/armbian/os/actions/runners | jq -r '.runners[] | .id'); do @@ -96,9 +106,14 @@ jobs: node: ${{fromJson(needs.Prepare.outputs.matrix)}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Enable Hetzner Virtual Machines if: ${{ github.repository_owner == 'Armbian' }} - uses: armbian/actions/hetzner@1.1 + uses: armbian/actions/hetzner@32bfbca43f8b93262beb93a2e000c5f22e3d37c5 # 1.1 with: action-type: enable machine-type: "${{ github.event.inputs.machine || 'cax31' }}" @@ -116,6 +131,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Sleeping "${{ github.event.inputs.period }}" run: sleep "${{ github.event.inputs.period || '110m' }}" @@ -126,9 +146,14 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Enable Hetzner Virtual Machines if: ${{ always() && github.repository_owner == 'Armbian' }} - uses: armbian/actions/hetzner@1.1 + uses: armbian/actions/hetzner@32bfbca43f8b93262beb93a2e000c5f22e3d37c5 # 1.1 with: action-type: disable machine-type: "${{ github.event.inputs.machine || 'cax21' }}" diff --git a/.github/workflows/external.yml b/.github/workflows/external.yml index 0a3fa649e3a..2cb01145748 100644 --- a/.github/workflows/external.yml +++ b/.github/workflows/external.yml @@ -14,7 +14,12 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 3 steps: - - uses: styfle/cancel-workflow-action@0.13.1 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1 if: ${{ github.event.schedule == '' }} with: all_but_latest: true diff --git a/.github/workflows/full-distro-build-and-test.yml b/.github/workflows/full-distro-build-and-test.yml index a2d623c8a5c..cd5abc64c80 100644 --- a/.github/workflows/full-distro-build-and-test.yml +++ b/.github/workflows/full-distro-build-and-test.yml @@ -17,8 +17,13 @@ jobs: outputs: matrix: ${{steps.json.outputs.JSON_CONTENT}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Checkout Armbian build Framework" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/build ref: ${{ inputs.ref || inputs.branch || 'main' }} @@ -27,7 +32,7 @@ jobs: path: build - name: "Install SSH key" - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -67,19 +72,24 @@ jobs: steps: # Cleaning self hosted runners + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Runner clean - uses: armbian/actions/runner-clean@main + uses: armbian/actions/runner-clean@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main # Login to ghcr.io, for later uploading rootfs to ghcr.io - name: Docker Login to GitHub Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: "${{ github.repository_owner }}" # GitHub username or org password: "${{ secrets.GITHUB_TOKEN }}" # GitHub actions builtin token. repo has to have pkg access. - name: "Install SSH key" - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -97,7 +107,7 @@ jobs: # clone the build system repo (`armbian/build`) - name: Checkout build repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/build ref: ${{ inputs.ref || inputs.branch || 'main' }} @@ -107,7 +117,7 @@ jobs: # clone the userpatches repo (`armbian/os`) - name: "Checkout userpatches repo" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/os fetch-depth: 0 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 1215733e6ed..1f3886abac7 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,7 +12,12 @@ jobs: pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/labeler@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/labels-from-yml.yml b/.github/workflows/labels-from-yml.yml index 3753aa277b6..aa36a924fb6 100644 --- a/.github/workflows/labels-from-yml.yml +++ b/.github/workflows/labels-from-yml.yml @@ -11,17 +11,28 @@ on: paths: - '.github/labels.yml' +permissions: + contents: read + jobs: labeler: + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for crazy-max/ghaction-github-labeler to create, rename, update and delete label if: ${{ github.repository_owner == 'Armbian' }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@v6 + uses: crazy-max/ghaction-github-labeler@548a7c3603594ec17c819e1239f281a3b801ab4d # v6.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} yaml-file: .github/labels.yml diff --git a/.github/workflows/live-patch.yml b/.github/workflows/live-patch.yml index 72fb2d6de1c..26871902a7d 100644 --- a/.github/workflows/live-patch.yml +++ b/.github/workflows/live-patch.yml @@ -19,8 +19,13 @@ jobs: runs-on: [Linux, X64] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -32,14 +37,19 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Import GPG key env: GPG_KEY1: ${{ secrets.GPG_KEY1 }} if: env.GPG_KEY1 != null - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_KEY1 }} passphrase: ${{ secrets.GPG_PASSPHRASE1 }} @@ -57,7 +67,7 @@ jobs: done - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} diff --git a/.github/workflows/recreate-matrix.yml b/.github/workflows/recreate-matrix.yml index 11c3a198a89..235df0d89e4 100644 --- a/.github/workflows/recreate-matrix.yml +++ b/.github/workflows/recreate-matrix.yml @@ -32,8 +32,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout Armbian Framework - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false repository: armbian/build @@ -43,7 +48,7 @@ jobs: path: build - name: Checkout Armbian OS Config - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false repository: armbian/os @@ -515,7 +520,7 @@ jobs: git commit --allow-empty -m "Update generated GHA chunk workflow artifact-image-complete-matrix.yml" -a - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@d30dc2d070765d7e509df00c34c5fa2dd636ff74 # master with: github_token: ${{ secrets.ACCESS_TOKEN_ARMBIANWORKER }} repository: armbian/os diff --git a/.github/workflows/redirector-update.yml b/.github/workflows/redirector-update.yml index 151f2f65f40..ab2207f6c79 100644 --- a/.github/workflows/redirector-update.yml +++ b/.github/workflows/redirector-update.yml @@ -14,8 +14,13 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -31,6 +36,11 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -50,6 +60,11 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -69,6 +84,11 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -88,6 +108,11 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -117,6 +142,11 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check" run: | @@ -131,7 +161,7 @@ jobs: fi - name: Upload JSON - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: debs-beta path: downloads @@ -153,6 +183,11 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check" run: | @@ -167,7 +202,7 @@ jobs: fi - name: Upload JSON - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: debs path: downloads @@ -189,6 +224,11 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check" run: | @@ -203,7 +243,7 @@ jobs: fi - name: Upload JSON - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: archive path: downloads @@ -225,6 +265,11 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check" run: | @@ -239,7 +284,7 @@ jobs: fi - name: Upload JSON - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: images path: downloads @@ -253,13 +298,18 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Clean" run: | rm -rf downloads/* - name: "Download artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: debs-beta path: downloads @@ -271,7 +321,7 @@ jobs: echo "failoverserver=$(ls -1 downloads/ | sed ':a; N; s/\n/ /; ta') " >> $GITHUB_ENV - name: Test debs - uses: armbian/actions/make-yaml-redirector@main + uses: armbian/actions/make-yaml-redirector@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: variant: debs-beta failoverserver: "${{ env.failoverserver }}" @@ -288,13 +338,18 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Clean" run: | rm -rf downloads/* - name: "Download artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: debs path: downloads @@ -306,7 +361,7 @@ jobs: echo "failoverserver=$(ls -1 downloads/ | sed ':a; N; s/\n/ /; ta') " >> $GITHUB_ENV - name: Test debs - uses: armbian/actions/make-yaml-redirector@main + uses: armbian/actions/make-yaml-redirector@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: variant: debs failoverserver: "${{ env.failoverserver }}" @@ -322,13 +377,18 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Clean" run: | rm -rf downloads/* - name: "Download artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: archive path: downloads @@ -340,7 +400,7 @@ jobs: echo "failoverserver=$(ls -1 downloads/ | sed ':a; N; s/\n/ /; ta') " >> $GITHUB_ENV - name: Test archive - uses: armbian/actions/make-yaml-redirector@main + uses: armbian/actions/make-yaml-redirector@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: variant: archive failoverserver: "${{ env.failoverserver }}" @@ -357,13 +417,18 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Clean" run: | rm -rf downloads/* - name: "Download artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: images path: downloads @@ -375,7 +440,7 @@ jobs: echo "failoverserver=$(ls -1 downloads/ | sed ':a; N; s/\n/ /; ta') " >> $GITHUB_ENV - name: Test images - uses: armbian/actions/make-yaml-redirector@main + uses: armbian/actions/make-yaml-redirector@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: variant: images failoverserver: "${{ env.failoverserver }}" @@ -394,19 +459,24 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Clean" run: | rm -rf downloads/* - - uses: robinraju/release-downloader@v1.13 + - uses: robinraju/release-downloader@28fc21f50d76778e7023361aa1f863e717d3d56f # v1.13 with: repository: "P3TERX/GeoLite.mmdb" latest: true fileName: "*.mmdb" - name: "Download artifacts" - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: redirector-config path: downloads @@ -417,7 +487,7 @@ jobs: ls -l downloads ls -l *.mmdb - - uses: geekyeggo/delete-artifact@v6 + - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0 with: name: | redirector-config @@ -428,7 +498,7 @@ jobs: failOnError: false - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} diff --git a/.github/workflows/repository-sync.yml b/.github/workflows/repository-sync.yml index b36f9e47b2d..abce51fff9a 100644 --- a/.github/workflows/repository-sync.yml +++ b/.github/workflows/repository-sync.yml @@ -21,8 +21,13 @@ jobs: runs-on: fast steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -36,6 +41,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -62,8 +72,13 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -106,8 +121,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Run redirector update action" - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.DISPATCH }} repository: armbian/armbian.github.io diff --git a/.github/workflows/repository-update.yml b/.github/workflows/repository-update.yml index ceb51f347c7..a4e520d46b2 100644 --- a/.github/workflows/repository-update.yml +++ b/.github/workflows/repository-update.yml @@ -21,8 +21,13 @@ jobs: runs-on: fast steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -61,23 +66,28 @@ jobs: steps: # Cleaning self hosted runners + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Runner clean - uses: armbian/actions/runner-clean@main + uses: armbian/actions/runner-clean@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main - name: Checkout build repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/build fetch-depth: 1 clean: false - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_KEY3 }} - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v7 + uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0 with: gpg_private_key: ${{ secrets.GPG_KEY4 }} @@ -139,6 +149,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Get primary mirrors from database id: json run: | @@ -165,8 +180,13 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -205,8 +225,13 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -240,8 +265,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Run redirector update action" - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.DISPATCH }} repository: armbian/armbian.github.io diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000000..ba6d8757139 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,81 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index 3a608bec0f8..4296465058b 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -41,8 +41,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 99ac5ecf4eb..ed66560e96c 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,6 +50,9 @@ env: # Added to every image build arguments. EXTRA_PARAMS_IMAGE: "SHARE_LOG=yes " +permissions: + contents: read + jobs: # additional security check @@ -61,8 +64,13 @@ jobs: steps: # Run repository mirroring to CDN + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Prepare incoming" - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 with: token: ${{ secrets.DISPATCH }} repository: armbian/armbian.github.io diff --git a/.github/workflows/watchdog.yml b/.github/workflows/watchdog.yml index 10aab172ef7..efbc7df90e4 100644 --- a/.github/workflows/watchdog.yml +++ b/.github/workflows/watchdog.yml @@ -14,6 +14,9 @@ concurrency: group: watchdog-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: gradle: @@ -29,6 +32,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Restart ${{ matrix.script }}.yml" run: | diff --git a/.github/workflows/webindex-update.yml b/.github/workflows/webindex-update.yml index f6985414296..ffba4e04ff1 100644 --- a/.github/workflows/webindex-update.yml +++ b/.github/workflows/webindex-update.yml @@ -25,8 +25,13 @@ jobs: runs-on: Linux steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Check membership" - uses: armbian/actions/team-check@main + uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main with: ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -42,8 +47,13 @@ jobs: needs: Check steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout build framework repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/build fetch-depth: 1 @@ -51,7 +61,7 @@ jobs: path: build - name: Checkout OS repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: armbian/os fetch-depth: 1 @@ -59,7 +69,7 @@ jobs: path: os - name: Install SSH key - uses: shimataro/ssh-key-action@v2 + uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1 with: key: ${{ secrets.KEY_UPLOAD }} known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }} @@ -203,7 +213,7 @@ jobs: cp os/kernel-description.json . - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: artifacts path: |