diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 14085851..ff3f2bc2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -37,3 +37,20 @@ updates: patterns: - "*" applies-to: "security-updates" + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "chore(deps):" + open-pull-requests-limit: 10 + groups: + actions-version-updates: + patterns: + - "*" + applies-to: "version-updates" + actions-security-updates: + patterns: + - "*" + applies-to: "security-updates" diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml index 09a93953..5dde45cd 100644 --- a/.github/workflows/commitlint.yml +++ b/.github/workflows/commitlint.yml @@ -7,19 +7,30 @@ on: required: true type: string +permissions: + contents: read + jobs: lint-commits: + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest name: Validate Commits steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} fetch-depth: 0 - name: Inspect Commits - uses: wagoid/commitlint-github-action@v6 + uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 with: configFile: .commitlintrc.json diff --git a/.github/workflows/depcheck.yml b/.github/workflows/depcheck.yml new file mode 100644 index 00000000..c2658866 --- /dev/null +++ b/.github/workflows/depcheck.yml @@ -0,0 +1,22 @@ +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Review Dependencies + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index f4e82d02..62fadae9 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,22 +10,30 @@ on: type: string default: 'temp' +permissions: + contents: read + jobs: Build-Container: runs-on: ubuntu-latest name: Build Container steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Build Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0 with: context: . file: ./Dockerfile diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index da34cc56..42082719 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -10,6 +10,9 @@ on: required: true type: string +permissions: + contents: read + jobs: check-compatibility: name: With Ruby ${{ matrix.ruby-version }} @@ -20,20 +23,25 @@ jobs: fail-fast: false steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.library_ref }} path: project/library - name: Checkout sanity stub - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.sanity_ref }} path: project/sanity - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@cb0fda56a307b8c78d38320cd40d9eb22a3bf04e # v1.242.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index efb9bb9d..46cbcc2e 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -15,19 +15,29 @@ defaults: run: working-directory: ./ +permissions: + contents: read + jobs: lint-format: + permissions: + contents: write runs-on: ubuntu-latest name: Reformat Code steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@cb0fda56a307b8c78d38320cd40d9eb22a3bf04e # v1.242.0 with: ruby-version: '3.0' bundler-cache: true @@ -40,7 +50,7 @@ jobs: - name: Commit Changes if: ${{ inputs.commit_changes == true }} - uses: stefanzweifel/git-auto-commit-action@v5 + uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 with: commit_message: 'style: Apply automated code formatting [skip ci]' commit_options: '--no-verify' diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 4a55479b..ed5470f8 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -82,6 +82,11 @@ jobs: - build-docker if: ${{ success() }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Report Success run: echo "All required checks passed successfully." diff --git a/.github/workflows/qodana.yml b/.github/workflows/qodana.yml index add1daa2..be8561cf 100644 --- a/.github/workflows/qodana.yml +++ b/.github/workflows/qodana.yml @@ -28,25 +28,30 @@ jobs: name: Inspect Code steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Download Test Reports Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ inputs.test_artifact_name }} path: ./qodana-downloaded-reports/test-results - name: Download Coverage Report Artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: ${{ inputs.coverage_artifact_name }} path: ./.qodana/code-coverage - name: Run Qodana - uses: JetBrains/qodana-action@v2025.1 + uses: JetBrains/qodana-action@201551778d1453e36c5c0aa26f89a94775cb1acc # v2025.1 with: push-fixes: true # args: --baseline,.qodana/qodana.sarif.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f29a771..22672269 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,19 +16,24 @@ jobs: name: To Artifactory steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@cb0fda56a307b8c78d38320cd40d9eb22a3bf04e # v1.242.0 with: ruby-version: '3.0' bundler-cache: true - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 'lts/*' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8cde8bc8..edd9f26e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: scorecard_analysis: name: Scorecard Analysis @@ -15,19 +18,24 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - name: Run Checks - uses: ossf/scorecard-action@v2.4.1 + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif publish_results: true - name: Upload Results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0204dae6..2f948f9e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,13 +28,18 @@ jobs: name: Run Tests steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@cb0fda56a307b8c78d38320cd40d9eb22a3bf04e # v1.242.0 with: ruby-version: '3.0' bundler-cache: true @@ -52,14 +57,14 @@ jobs: CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} - name: Upload Results - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: test-results path: build/reports/**/*.xml - name: Upload Coverage - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: always() with: name: test-coverage @@ -67,7 +72,7 @@ jobs: - name: Generate Report if: ${{ always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) }} - uses: dorny/test-reporter@v2.0.0 + uses: dorny/test-reporter@6e6a65b7a0bd2c9197df7d0ae36ac5cee784230c # v2.0.0 with: name: Tests reporter: java-junit diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml index 2aea20b2..6c651c85 100644 --- a/.github/workflows/typecheck.yml +++ b/.github/workflows/typecheck.yml @@ -11,19 +11,27 @@ defaults: run: working-directory: ./ +permissions: + contents: read + jobs: steep-check: runs-on: ubuntu-latest name: Inspect Code steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@cb0fda56a307b8c78d38320cd40d9eb22a3bf04e # v1.242.0 with: ruby-version: '3.0' bundler-cache: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..a678a4a3 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: RuboCop +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/Dockerfile b/Dockerfile index 316e6684..2dea200b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:3.3 +FROM ruby:3.3@sha256:06c1c61f615d408a44d8d6f3a06b1e1f9dd1882aecb91a6a9fc75fe93d051369 WORKDIR /app COPY . . RUN rm -f *.gem