Skip to content

Commit

Permalink
ci: apply security best practices (#6638)
Browse files Browse the repository at this point in the history 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
  • Loading branch information
@step-security-bot
step-security-bot authored Nov 28, 2023
1 parent 86bbfa9 commit e7c4028
Show file tree
Hide file tree
Showing 41 changed files with 621 additions and 106 deletions.
237 changes: 236 additions & 1 deletion .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,239 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
interval: "daily"

- package-ecosystem: pip
directory: /automation
schedule:
interval: daily

- package-ecosystem: docker
directory: /demos/benchmarking/docker-jans-loadtesting-jmeter
schedule:
interval: daily

- package-ecosystem: pip
directory: /demos/benchmarking/docker-jans-loadtesting-jmeter
schedule:
interval: daily

- package-ecosystem: npm
directory: /demos/jans-tarp
schedule:
interval: daily

- package-ecosystem: pip
directory: /demos/jans-tent
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-all-in-one
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-all-in-one/app
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-auth-server
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-auth-server
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-casa
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-casa
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-certmanager
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-certmanager
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-config-api
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-config-api
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-configurator
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-configurator
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-fido2
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-fido2
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-keycloak-link
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-keycloak-link
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-link
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-link
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-monolith
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-persistence-loader
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-persistence-loader
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-saml
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-saml
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-scim
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-scim
schedule:
interval: daily

- package-ecosystem: pip
directory: /docs
schedule:
interval: daily

- package-ecosystem: npm
directory: /jans-auth-server/server/src/main/webapp/js/crypto-js-3.1.9-1
schedule:
interval: daily

- package-ecosystem: pip
directory: /jans-linux-setup
schedule:
interval: daily

- package-ecosystem: gomod
directory: /terraform-provider-jans
schedule:
interval: daily

- package-ecosystem: maven
directory: /agama
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-auth-server
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-bom
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-casa
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-config-api
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-core
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-eleven
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-fido2
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-keycloak-integration
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-keycloak-link
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-link
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-orm
schedule:
interval: daily

- package-ecosystem: maven
directory: /jans-scim
schedule:
interval: daily
12 changes: 11 additions & 1 deletion .github/workflows/activate-nightly-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,22 @@ on:
workflow_dispatch:
schedule:
- cron: "0 23 * * *"
permissions:
contents: read

jobs:
publish_binary_packages:
permissions:
contents: write # for Git to git push
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

- name: set nightly version
id: nightly
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/backport.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,14 @@ jobs:
)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Create backport PRs
uses: korthout/backport-action@v1
uses: korthout/backport-action@bd68141f079bd036e45ea8149bc9d174d5a04703 # v1.4.0
with:
# Config README: https://github.com/zeebe-io/backport-action#backport-action
github_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
Expand Down
18 changes: 14 additions & 4 deletions .github/workflows/build-docs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,20 +28,30 @@ on:
concurrency:
group: run-once
cancel-in-progress: false
permissions:
contents: read

jobs:
build:
permissions:
contents: write # for Git to git push
if: github.repository_owner == 'JanssenProject'
name: Deploy docs
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
fetch-depth: 0
token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}

- name: Set up Python 3.10
uses: actions/setup-python@v4
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
with:
python-version: "3.10"
cache: pip
Expand All @@ -55,7 +65,7 @@ jobs:
- name: Checkout jans ${{ github.event.inputs.version }}
if: >-
github.event_name == 'workflow_dispatch'
uses: actions/checkout@v3
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: '${{ github.event.inputs.version }}'
fetch-depth: 0
Expand All @@ -75,7 +85,7 @@ jobs:
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v5
uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5.4.0
with:
gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
Expand Down
Loading

0 comments on commit e7c4028

Please sign in to comment.