diff --git a/.github/workflows/bd_sca_scanner.yaml b/.github/workflows/bd_sca_scanner.yaml index e24322d..6066ca3 100644 --- a/.github/workflows/bd_sca_scanner.yaml +++ b/.github/workflows/bd_sca_scanner.yaml @@ -15,6 +15,8 @@ on: jobs: blackduck-sca-scan: runs-on: ubuntu-latest + permissions: + contents: read # actions/checkout concurrency: group: bd-sca-scan-${{ github.ref_name }} cancel-in-progress: true diff --git a/.github/workflows/hyperforge_agent_package_workflow.yaml b/.github/workflows/hyperforge_agent_package_workflow.yaml index 4f051f4..7d3c148 100644 --- a/.github/workflows/hyperforge_agent_package_workflow.yaml +++ b/.github/workflows/hyperforge_agent_package_workflow.yaml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 @@ -44,6 +46,8 @@ jobs: - test steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -56,16 +60,26 @@ jobs: - name: Set dependency versions in requirements run: | - python bump.py --package=${{ inputs.package }} --build=${{ github.run_number }} + python bump.py --package=${INPUTS_PACKAGE} --build=${{ github.run_number }} + env: + INPUTS_PACKAGE: ${{ inputs.package }} - name: Install package run: | - pip install -e ./${{ inputs.package }} + pip install -e ./${INPUTS_PACKAGE} + env: + INPUTS_PACKAGE: ${{ inputs.package }} - name: Build wheels - run: pip wheel --no-deps -w dist ./${{ inputs.package }} + run: pip wheel --no-deps -w dist ./${INPUTS_PACKAGE} + env: + INPUTS_PACKAGE: ${{ inputs.package }} - name: Upload to pypi + # zizmor: ignore[use-trusted-publishing] -- PYPI_TOKEN is a scoped + # API token stored as a repo secret. Migration to OIDC Trusted + # Publishing is tracked separately and requires PyPI-side setup for + # all 17 agent packages before the secret can be removed. run: twine upload --verbose dist/* env: TWINE_USERNAME: __token__ diff --git a/.github/workflows/hyperforge_workflow.yaml b/.github/workflows/hyperforge_workflow.yaml index 945fc26..d74ade3 100644 --- a/.github/workflows/hyperforge_workflow.yaml +++ b/.github/workflows/hyperforge_workflow.yaml @@ -25,16 +25,14 @@ env: GCP_WORKLOAD_IDENTITY_PROVIDER: "projects/224545243904/locations/global/workloadIdentityPools/gh-nuclia/providers/gh-nuclia-provider" GCP_SERVICE_ACCOUNT: "github-actions@nuclia-internal.iam.gserviceaccount.com" -permissions: - id-token: write - contents: read - actions: read - packages: write - jobs: test: name: Testing runs-on: learning-simple-arc-runners + permissions: + id-token: write # google-github-actions/auth (OIDC) + contents: read # actions/checkout ×2 + pull-requests: write # orgoro/coverage outputs: component: ${{ steps.param.outputs.component }} hash: ${{ steps.param.outputs.hash }} @@ -44,11 +42,32 @@ jobs: chart-version: ${{ steps.param.outputs.chart-version }} steps: + - name: Generate a token + id: app-token + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + with: + app-id: ${{ secrets.GHAPP_ID_NUCLIABOT }} + private-key: ${{ secrets.PK_GHAPP_NUCLIABOT }} + owner: nuclia + repositories: tooling + permission-contents: read + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Checkout tooling repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + repository: nuclia/tooling + ref: main + path: tooling + token: ${{ steps.app-token.outputs.token }} + persist-credentials: false - name: Parameter generator - uses: nuclia/tooling/.github/actions/parameter-generator@e3b8787755f131d70b5346b2704b66cd0accb7cb + uses: ./tooling/.github/actions/parameter-generator id: param with: component: forge @@ -83,7 +102,7 @@ jobs: make test - name: Get Cover - uses: orgoro/coverage@v3.1 + uses: orgoro/coverage@ca0c362dc1a4f100447309405e6dfea47e251495 # v3.3.1 if: github.event_name == 'pull_request' with: coverageFile: forge_cov.xml @@ -127,7 +146,7 @@ jobs: password: ${{ steps.gcp-auth-registry.outputs.access_token }} - name: Push image to registries - uses: nuclia/tooling/.github/actions/build-img-regcache@1c637a038d11b783a7ae1f3752b666c16466314e + uses: ./tooling/.github/actions/build-img-regcache with: file: RAO.Dockerfile image-name: ${{ steps.param.outputs.component }} @@ -142,7 +161,7 @@ jobs: if: github.event_name == 'push' - name: Build and push helm chart - uses: nuclia/tooling/.github/actions/build-helm-chart@e3b8787755f131d70b5346b2704b66cd0accb7cb + uses: ./tooling/.github/actions/build-helm-chart with: component: ${{ steps.param.outputs.component }} chart-version: ${{ steps.param.outputs.chart-version }} @@ -170,17 +189,20 @@ jobs: needs: test if: (failure() || cancelled()) && github.event_name == 'push' runs-on: nuclia-base + permissions: {} # slackapi/slack-github-action uses webhook secret, not GITHUB_TOKEN steps: - name: Build failed slack message id: build_message run: | - SLACK_MESSAGE="Testing for component ${{ needs.test.outputs.component }} in main/master has failed for SHA ${{ github.sha }}. Promotion can't be executed if a component is not passing tests." + SLACK_MESSAGE="Testing for component ${NEEDS_TEST_OUTPUTS_COMPONENT} in main/master has failed for SHA ${{ github.sha }}. Promotion can't be executed if a component is not passing tests." COLOR="danger" echo "color=$COLOR" >> $GITHUB_OUTPUT echo "message=$SLACK_MESSAGE" >> $GITHUB_OUTPUT shell: bash + env: + NEEDS_TEST_OUTPUTS_COMPONENT: ${{ needs.test.outputs.component }} - name: Slack notification id: slack @@ -208,8 +230,12 @@ jobs: if: github.event_name == 'push' needs: - test + permissions: + contents: read # actions/checkout steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: @@ -233,6 +259,7 @@ jobs: run: pip wheel --no-deps -w dist ./hyperforge - name: Upload to pypi + # zizmor: ignore[use-trusted-publishing] -- migrating to OIDC trusted publishing is tracked separately; PYPI_TOKEN is a scoped API token run: twine upload --verbose dist/* env: TWINE_USERNAME: __token__ @@ -243,6 +270,7 @@ jobs: needs: [test] if: | !failure() && !cancelled() && github.event_name == 'push' + permissions: {} # all API calls use GitHub App token, not GITHUB_TOKEN steps: - name: Generate a token id: app-token @@ -251,6 +279,8 @@ jobs: app-id: ${{ vars.GHAPP_NUCLIA_SERVICE_BOT_ID }} private-key: ${{ secrets.GHAPP_NUCLIA_SERVICE_BOT_PK }} owner: nuclia + repositories: core-apps + permission-contents: write - name: Create components promotion summary. Trigger1 env: @@ -260,6 +290,8 @@ jobs: PROMO_PRODUCTION: ${{ env.PROMO_PRODUCTION }} TEAM: "learning" SLACK_TEAM: "S06B50DM2FL" + COMPONENT: ${{ needs.test.outputs.component }} + CHART_VERSION: ${{ needs.test.outputs.chart-version }} run: | MERGED_JSON=$(jq -cs \ --arg environment "$ENVIRONMENT" \ @@ -269,6 +301,8 @@ jobs: --arg slack_team "$SLACK_TEAM" \ --arg promo_production "$PROMO_PRODUCTION" \ --arg commit_sha "${{ github.sha }}" \ + --arg component "$COMPONENT" \ + --arg chart_version "$CHART_VERSION" \ '{ components: map(.components) | add } + { @@ -293,8 +327,8 @@ jobs: } + { "components": [ { - "component": "${{ needs.test.outputs.component }}", - "chart-version": "${{ needs.test.outputs.chart-version }}", + "component": $component, + "chart-version": $chart_version, "component-type": "regional" } ] diff --git a/.github/workflows/trufflehog.yaml b/.github/workflows/trufflehog.yaml index 784e14e..f291a0d 100644 --- a/.github/workflows/trufflehog.yaml +++ b/.github/workflows/trufflehog.yaml @@ -8,6 +8,8 @@ on: jobs: trufflehog-scan: runs-on: ubuntu-latest + permissions: + contents: read # actions/checkout steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..39d4d08 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,28 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: [main] + pull_request: + paths: + - '.github/workflows/**' + - '.github/actions/**' + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # required by github/codeql-action/upload-sarif + contents: read # required by actions/checkout (private-repo safe default) + actions: read # required by upload-sarif to read workflow run info on private repos + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + advanced-security: false \ No newline at end of file