Harden GitHub Actions Workflow - sync-to-coding.yml #7
Description
Summary
This issue is created by StepSecurity related to security issues in sync-to-coding.yml . The platform has identified 2 vulnerabilities (1 critical, 0 high, 0 medium, 1 low).
Remediation Overview
The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-app pull-request create on this issue.
If you’d like an automated pull request with the fixed workflow file, comment:
@stepsecurity-app pull-request create
Other issues require manual investigation and changes.
Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.
Please review the individual vulnerability section below and follow the recommended resolution steps.
Security Checks Details
❌ Actions should be pinned to a full-length commit SHA
-
Severity: Critical
-
Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
-
Resolution: Pin Actions to a full-length commit SHA..
-
Automated Remediation Available ?: true
-
References:
❌ Network and runtime security monitoring should be enabled for GitHub-hosted runners
-
Severity: Low
-
Description: This check passes if the step-security/harden-runner GitHub Action is used in a job that runs on a GitHub-hosted runner. Harden-Runner prevents exfiltration of code and CI/CD credentials, and detects tampering of files during build.
-
Resolution: Add the step-security/harden-runner GitHub Action to the job.
-
Automated Remediation Available ?: true
-
References:
Suggested Fix For Auto-Remediable Issues
Below is the updated workflow, which fixes the following security vulnerabilities:
-
Actions should be pinned to a full-length commit SHA
-
Network and runtime security monitoring should be enabled for GitHub-hosted runners
name: 同步代码到多个仓库
on:
push:
branches:
- master
pull_request:
branches:
- master
types: [closed]
jobs:
sync-to-gitcode:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true || github.event_name == 'push'
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
GIT_USER: xiaomizhou
GIT_EMAIL: qixiaoxin@stu.sqxy.edu.cn
steps:
- name:
+ Harden the runner (Audit all outbound calls)
+ uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+ with:
+ egress-policy: audit
+ - name:
Checkout
uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 #
v4
+ .3.0
with:
fetch-depth: 0
- name: Set up SSH Agent
uses: webfactory/ssh-agent@
+ 5f066a372ec13036ab7cb9a8adf18c936f8d2043 #
v0.5.3
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Accept Gitcode Host Key
run: |
echo -e "Host gitcode.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
ssh-keyscan gitcode.com >> ~/.ssh/known_hosts
- name: Configure Git User
run: |
git config --global user.name "${{ secrets.GIT_USER }}"
git config --global user.email "${{ secrets.GIT_EMAIL }}"
- name: Add Gitcode Remote
run: git remote add gitcode git@gitcode.com:xiaomizhou/MZAPI-python.git
- name: Push to Gitcode
run: git push gitcode master
sync-to-gitee:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true || github.event_name == 'push'
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
GIT_USER: ${{ secrets.GITEE_USER }}
GIT_EMAIL: ${{ secrets.GITEE_EMAIL }}
steps:
- name:
+ Harden the runner (Audit all outbound calls)
+ uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+ with:
+ egress-policy: audit
+ - name:
Checkout
uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 #
v4
+ .3.0
with:
fetch-depth: 0
- name: Set up SSH Agent
uses: webfactory/ssh-agent@
+ 5f066a372ec13036ab7cb9a8adf18c936f8d2043 #
v0.5.3
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Accept Gitee Host Key
run: |
echo -e "Host gitee.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
ssh-keyscan gitee.com >> ~/.ssh/known_hosts
- name: Configure Git User
run: |
git config --global user.name "${{ secrets.GITEE_USER }}"
git config --global user.email "${{ secrets.GITEE_EMAIL }}"
- name: Add Gitee Remote
run: git remote add gitee git@gitee.com:qinjielove/mzapi-python.git
- name: Push to Gitee
run: git push gitee master
sync-to-codeup:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true || github.event_name == 'push'
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
GIT_USER: ${{ secrets.CODEUP_USER }}
GIT_EMAIL: ${{ secrets.CODEUP_EMAIL }}
steps:
- name:
+ Harden the runner (Audit all outbound calls)
+ uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+ with:
+ egress-policy: audit
+ - name:
Checkout
uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 #
v4
+ .3.0
with:
fetch-depth: 0
- name: Set up SSH Agent
uses: webfactory/ssh-agent@
+ 5f066a372ec13036ab7cb9a8adf18c936f8d2043 #
v0.5.3
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Accept Codeup Host Key
run: |
echo -e "Host codeup.aliyun.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
ssh-keyscan codeup.aliyun.com >> ~/.ssh/known_hosts
- name: Configure Git User
run: |
git config --global user.name "${{ secrets.GIT_USER }}"
git config --global user.email "${{ secrets.GIT_EMAIL }}"
- name: Add Codeup Remote
run: git remote add codeup git@codeup.aliyun.com:686a57a36024b2147d89fbc0/MZAPI-python.git
- name: Push to Codeup
run: git push codeup master
sync-to-huaweicloud:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true || github.event_name == 'push'
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
GIT_USER: ${{ secrets.HUAWEICLOUD_USER }}
GIT_EMAIL: ${{ secrets.HUAWEICLOUD_EMAIL }}
steps:
- name:
+ Harden the runner (Audit all outbound calls)
+ uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+ with:
+ egress-policy: audit
+ - name:
Checkout
uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 #
v4
+ .3.0
with:
fetch-depth: 0
- name: Set up SSH Agent
uses: webfactory/ssh-agent@
+ 5f066a372ec13036ab7cb9a8adf18c936f8d2043 #
v0.5.3
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Accept HuaweiCloud Host Key
run: |
echo -e "Host codehub.devcloud.cn-north-4.huaweicloud.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
ssh-keyscan codehub.devcloud.cn-north-4.huaweicloud.com >> ~/.ssh/known_hosts
- name: Configure Git User
run: |
git config --global user.name "${{ secrets.GIT_USER }}"
git config --global user.email "${{ secrets.GIT_EMAIL }}"
- name: Add HuaweiCloud Remote
run: git remote add huaweicloud git@codehub.devcloud.cn-north-4.huaweicloud.com:a95461d5a0a143a7b46d78c32e7f63b5/MZAPI-python.git
- name: Push to HuaweiCloud
run: git push huaweicloud master
sync-to-cnb:
runs-on: ubuntu-latest
if: github.event.pull_request.merged == true || github.event_name == 'push'
env:
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
GIT_USER: ${{ secrets.CNB_USER }}
GIT_EMAIL: ${{ secrets.CNB_EMAIL }}
CNB_TOKEN: ${{ secrets.CNB_TOKEN }}
steps:
- name:
+ Harden the runner (Audit all outbound calls)
+ uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+ with:
+ egress-policy: audit
+ - name:
Checkout
uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 #
v4
+ .3.0
with:
fetch-depth: 0
- name: Set up SSH Agent
uses: webfactory/ssh-agent@
+ 5f066a372ec13036ab7cb9a8adf18c936f8d2043 #
v0.5.3
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Configure Git User
run: |
git config --global user.name "${{ secrets.GIT_USER }}"
git config --global user.email "${{ secrets.GIT_EMAIL }}"
- name: Add CNB Remote
run: git remote add cnb https://${{ secrets.CNB_TOKEN }}@cnb.cool/mizhoubaobei/MZAPI/python.git
- name: Push to CNB
run: git push cnb masterAdditional Information
For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.
Automated remediation commands and options
- Create a pull request with automated security fixes
@stepsecurity-app pull-request create- Close this issue and prevent it from being reopened
@stepsecurity-app issue close <REASON>- Update issue description with latest security check status
@stepsecurity-app issue force-update- View all available commands and their usage
@stepsecurity-app helpWhich GitHub Actions security best practices were evaluated?
The workflow was evaluated for the following GitHub Actions security best practices:
- Network & runtime security monitoring
- Token permissions
- Third‐party GitHub Actions usage & pinning