From f54c4fa6376c78ea796d2ed324ceec6cf4f19886 Mon Sep 17 00:00:00 2001 From: Wayback Archiver <66856220+waybackarchiver@users.noreply.github.com> Date: Sun, 11 Feb 2024 06:00:08 +0000 Subject: [PATCH] Harden runner egress policy improvement (#482) * Specify license for multiformats deps * Specify hraden-runner egress policy to audit * ci: change engress policy to audit for license workflow * Bump snap core18 to core20, relates to https://github.com/snapcore/snapcraft/releases/tag/8.0.0 * ci: enable actions permission for trivy job to make runner green * ci: change engress policy to audit for trivy jobs --- .github/workflows/analysis.yml | 2 ++ .github/workflows/builder.yml | 8 +++++++- .github/workflows/docker.yml | 14 ++++++++------ .github/workflows/license.yml | 2 ++ .github/workflows/linter.yml | 2 ++ .licenserc.yaml | 11 +++++++++++ snapcraft.yaml | 21 ++++++++++++++++----- 7 files changed, 48 insertions(+), 12 deletions(-) diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 8238a5be..9bbf6629 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -49,6 +49,7 @@ jobs: with: language: ${{ matrix.language }} config-file: './.github/codeql/codeql-config.yml' + egress-policy: audit nancy: name: Sonatype Nancy @@ -85,3 +86,4 @@ jobs: with: scan-type: 'fs' sarif: 'filesystem.sarif' + egress-policy: audit diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 40eed65f..5bc5e980 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -99,6 +99,7 @@ jobs: go-mips64: ${{ matrix.mips64 }} go-mipsle: ${{ matrix.mipsle }} artifact-path: ./build/binary/wayback* + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -122,6 +123,7 @@ jobs: go-arch: ${{ matrix.arch }} go-arm: ${{ matrix.arm }} artifact-path: build/package/wayback*.deb + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -132,6 +134,7 @@ jobs: product: wayback params: 'make rpm' artifact-path: build/package/wayback*.rpm + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -145,6 +148,7 @@ jobs: build/aur/.SRCINFO build/aur/PKGBUILD build/aur/wayback*.pkg.tar.zst + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -153,8 +157,9 @@ jobs: uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main with: product: wayback - channel: edge + channel: stable publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }} + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }} @@ -167,5 +172,6 @@ jobs: version: edge params: 'make build' artifact-path: org.wabarc.wayback-*.x86_64.flatpak + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 05a06f70..bf28a35c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -54,13 +54,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 with: - egress-policy: block + egress-policy: audit disable-telemetry: true allowed-endpoints: > ghcr.io:443 github.com:443 api.github.com:443 - pkg-containers.githubusercontent.com:443 + *.githubusercontent.com docker.io:443 auth.docker.io:443 index.docker.io:443 @@ -201,14 +201,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 with: - egress-policy: block + egress-policy: audit disable-telemetry: true allowed-endpoints: > ghcr.io:443 github.com:443 api.github.com:443 docker.io:443 - pkg-containers.githubusercontent.com:443 + *.githubusercontent.com auth.docker.io:443 registry-1.docker.io:443 production.cloudflare.docker.com:443 @@ -331,11 +331,12 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status with: scan-type: 'image' image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}' sarif: 'container-standalone.sarif' + egress-policy: 'audit' trivy-bundle: name: Trivy for bundle @@ -344,8 +345,9 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status with: scan-type: 'image' image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}' sarif: 'container-bundle.sarif' + egress-policy: 'audit' diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 484ca9b8..f26f3c2d 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -26,3 +26,5 @@ jobs: license: name: License Checker uses: wabarc/.github/.github/workflows/reusable-license.yml@main + with: + egress-policy: audit diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 63ac71c9..129af4e1 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -29,6 +29,8 @@ jobs: golangci: name: golangci-lint uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main + with: + egress-policy: audit shellcheck: name: ShellCheck diff --git a/.licenserc.yaml b/.licenserc.yaml index 8525e8f8..453834ce 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -45,3 +45,14 @@ header: - 'mkdocs.yml' comment: on-failure + +dependency: + files: + - go.mod + licenses: + - name: github.com/multiformats/go-base36 + version: v0.2.0 + license: Apache-2.0 OR MIT + - name: github.com/multiformats/go-multicodec + version: v0.9.0 + license: Apache-2.0 OR MIT diff --git a/snapcraft.yaml b/snapcraft.yaml index 815f21f7..c3b7eeb4 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -12,23 +12,34 @@ description: | A toolkit for snapshot webpage to the Wayback Machine. Website https://github.com/wabarc/wayback -base: core18 +base: core20 grade: stable confinement: strict compression: lzo + architectures: - #- build-on: [i386, amd64, arm64, armhf, ppc64el, s390x] - - build-on: amd64 + - amd64 + - arm64 + - armhf + - i386 parts: wayback: plugin: go source: https://github.com/wabarc/wayback.git - go-importpath: github.com/wabarc/wayback/cmd/wayback + override-build: | + make build + install $SNAPCRAFT_PART_BUILD/build/binary/wayback -D $SNAPCRAFT_PART_INSTALL/bin/wayback + mkdir -p $SNAPCRAFT_PART_INSTALL/bin + if [ ! -e $SNAPCRAFT_PART_INSTALL/bin/wayback ]; then + ln -s $SNAPCRAFT_PART_INSTALL/bin/wayback $SNAPCRAFT_PART_INSTALL/bin/wayback + fi + build-packages: + - build-essential apps: wayback: - command: wayback + command: bin/wayback plugs: - home - network