From 60833b9f9537fe38f9760fa1989ca95bfa92e415 Mon Sep 17 00:00:00 2001 From: Oksana Salyk Date: Wed, 18 Sep 2024 11:34:17 +0200 Subject: [PATCH 1/3] common: harden GitHub Actions --- .github/workflows/docker_rebuild.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/nightly.yml | 3 +++ .github/workflows/pmem_benchmark.yml | 6 ++---- .github/workflows/pmem_ras.yml | 3 +++ .github/workflows/pmem_test_matrix.yml | 3 +++ .github/workflows/pmem_tests.yml | 3 +++ .github/workflows/scan_bandit.yml | 3 +++ .github/workflows/scan_codeql.yml | 9 +++++---- .github/workflows/scan_coverage.yml | 3 +++ .github/workflows/scan_coverity.yml | 3 +++ .github/workflows/scan_documentation.yml | 3 +++ .github/workflows/scan_log_calls.yml | 2 ++ .github/workflows/scan_stack_usage.yml | 3 +++ .github/workflows/scan_ubsan.yml | 3 +++ .github/workflows/scans.yml | 3 +++ .github/workflows/ubuntu.yml | 3 +++ 17 files changed, 51 insertions(+), 8 deletions(-) diff --git a/.github/workflows/docker_rebuild.yml b/.github/workflows/docker_rebuild.yml index 5a46d3cf4f9..34a399aca2f 100644 --- a/.github/workflows/docker_rebuild.yml +++ b/.github/workflows/docker_rebuild.yml @@ -23,6 +23,9 @@ env: WORKDIR: utils/docker PUSH_IMAGE: 1 +permissions: + contents: read + jobs: image: if: github.repository == 'pmem/pmdk' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1b90f3efbd8..f65e98ada4f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,9 @@ on: workflow_dispatch: pull_request: +permissions: + contents: read + jobs: src_checkers: name: Source checkers diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7fe5abd3358..d8b73f89a3b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -19,6 +19,9 @@ env: PMDK_CXX: g++ SRC_CHECKERS: 0 +permissions: + contents: read + jobs: in-tree: name: In-tree diff --git a/.github/workflows/pmem_benchmark.yml b/.github/workflows/pmem_benchmark.yml index 5a3c5e8a528..2b3edb97885 100644 --- a/.github/workflows/pmem_benchmark.yml +++ b/.github/workflows/pmem_benchmark.yml @@ -10,13 +10,13 @@ on: type: string default: master +permissions: + contents: read jobs: prep_runtime: name: Prepare runtime runs-on: [self-hosted, benchmark] - permissions: - contents: read steps: - name: Clone the git repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -38,8 +38,6 @@ jobs: GITHUB_REF: ${{ inputs.reference_ref }} - ROLE: rival GITHUB_REF: ${{ inputs.rival_ref }} - permissions: - contents: read env: MANIFEST: ${{ matrix.ROLE }}/manifest.txt steps: diff --git a/.github/workflows/pmem_ras.yml b/.github/workflows/pmem_ras.yml index 6fd11d1166f..76673480f24 100644 --- a/.github/workflows/pmem_ras.yml +++ b/.github/workflows/pmem_ras.yml @@ -30,6 +30,9 @@ on: # run this job every 8 hours - cron: '0 */8 * * *' +permissions: + contents: read + jobs: linux: name: PMEM_RAS diff --git a/.github/workflows/pmem_test_matrix.yml b/.github/workflows/pmem_test_matrix.yml index b337893c1a2..837f1b895f1 100644 --- a/.github/workflows/pmem_test_matrix.yml +++ b/.github/workflows/pmem_test_matrix.yml @@ -17,6 +17,9 @@ on: type: number default: 360 # The jobs..timeout-minutes default. +permissions: + contents: read + jobs: job: name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }} diff --git a/.github/workflows/pmem_tests.yml b/.github/workflows/pmem_tests.yml index 1bf9a1b22c7..3edf3193468 100644 --- a/.github/workflows/pmem_tests.yml +++ b/.github/workflows/pmem_tests.yml @@ -9,6 +9,9 @@ on: # run this job at 18:00 UTC every day - cron: '0 18 * * *' +permissions: + contents: read + jobs: # Test the default build with the basic test suite. Basic: diff --git a/.github/workflows/scan_bandit.yml b/.github/workflows/scan_bandit.yml index c7b60300301..0bfd69be9dc 100644 --- a/.github/workflows/scan_bandit.yml +++ b/.github/workflows/scan_bandit.yml @@ -9,6 +9,9 @@ env: PMREORDER: src/tools/pmreorder/*.py CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py +permissions: + contents: read + jobs: bandit: name: Bandit diff --git a/.github/workflows/scan_codeql.yml b/.github/workflows/scan_codeql.yml index 85d10c87917..2c1274f0de7 100644 --- a/.github/workflows/scan_codeql.yml +++ b/.github/workflows/scan_codeql.yml @@ -4,14 +4,15 @@ name: CodeQL on: workflow_call: +permissions: + actions: read + contents: read + security-events: write + jobs: codeql: name: CodeQL runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write steps: - name: Clone the git repo diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml index 410728d0cc8..83b83d68301 100644 --- a/.github/workflows/scan_coverage.yml +++ b/.github/workflows/scan_coverage.yml @@ -24,6 +24,9 @@ env: TEST_BUILD: debug FAULT_INJECTION: 1 +permissions: + contents: read + jobs: linux: name: Linux diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml index 575f7b04c6a..0a920d5ac92 100644 --- a/.github/workflows/scan_coverity.yml +++ b/.github/workflows/scan_coverity.yml @@ -21,6 +21,9 @@ env: VALGRIND: 1 COVERITY: 1 +permissions: + contents: read + jobs: linux: name: Linux diff --git a/.github/workflows/scan_documentation.yml b/.github/workflows/scan_documentation.yml index bfe4b48d322..4ced019510d 100644 --- a/.github/workflows/scan_documentation.yml +++ b/.github/workflows/scan_documentation.yml @@ -4,6 +4,9 @@ name: Documentation on: workflow_call: +permissions: + contents: read + jobs: linux: name: Documentation diff --git a/.github/workflows/scan_log_calls.yml b/.github/workflows/scan_log_calls.yml index b5d5b646735..7c33b400224 100644 --- a/.github/workflows/scan_log_calls.yml +++ b/.github/workflows/scan_log_calls.yml @@ -5,6 +5,8 @@ on: workflow_dispatch: workflow_call: +permissions: + contents: read jobs: log-calls: diff --git a/.github/workflows/scan_stack_usage.yml b/.github/workflows/scan_stack_usage.yml index fc786695c32..b82fe1004e4 100644 --- a/.github/workflows/scan_stack_usage.yml +++ b/.github/workflows/scan_stack_usage.yml @@ -8,6 +8,9 @@ on: env: CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis +permissions: + contents: read + jobs: stack-usage: name: Stack usage diff --git a/.github/workflows/scan_ubsan.yml b/.github/workflows/scan_ubsan.yml index a18c1b5ac07..0f4c7ef5065 100644 --- a/.github/workflows/scan_ubsan.yml +++ b/.github/workflows/scan_ubsan.yml @@ -18,6 +18,9 @@ env: UBSAN: 1 FAULT_INJECTION: 1 +permissions: + contents: read + jobs: linux: name: Linux diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 7bafd77ad01..387aff7a734 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -7,6 +7,9 @@ on: # run this job at 00:00 UTC every day - cron: '0 0 * * *' +permissions: + contents: read + jobs: call-bandit: uses: ./.github/workflows/scan_bandit.yml diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index edce664f50e..7c06ccdf4aa 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -8,6 +8,9 @@ env: GITHUB_REPO: pmem/pmdk DOCKER_REPO: ghcr.io/pmem/pmdk +permissions: + contents: read + jobs: linux: name: Linux From 2818944a09fa9f048e93cae56a07285d3e8f3c52 Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Mon, 23 Sep 2024 06:09:42 +0200 Subject: [PATCH 2/3] common: permission test Signed-off-by: Tomasz Gromadzki --- .github/workflows/docker_rebuild.yml | 3 +-- .github/workflows/main.yml | 3 +-- .github/workflows/nightly.yml | 3 +-- .github/workflows/pmem_benchmark.yml | 3 +-- .github/workflows/pmem_ras.yml | 3 +-- .github/workflows/pmem_test_matrix.yml | 3 +-- .github/workflows/pmem_tests.yml | 3 +-- .github/workflows/scan_bandit.yml | 3 +-- .github/workflows/scan_coverage.yml | 3 +-- .github/workflows/scan_coverity.yml | 3 +-- .github/workflows/scan_documentation.yml | 3 +-- .github/workflows/scan_log_calls.yml | 3 +-- .github/workflows/scan_stack_usage.yml | 3 +-- .github/workflows/scan_ubsan.yml | 3 +-- .github/workflows/scans.yml | 3 +-- .github/workflows/ubuntu.yml | 3 +-- 16 files changed, 16 insertions(+), 32 deletions(-) diff --git a/.github/workflows/docker_rebuild.yml b/.github/workflows/docker_rebuild.yml index 34a399aca2f..bda00842139 100644 --- a/.github/workflows/docker_rebuild.yml +++ b/.github/workflows/docker_rebuild.yml @@ -23,8 +23,7 @@ env: WORKDIR: utils/docker PUSH_IMAGE: 1 -permissions: - contents: read +permissions: {} jobs: image: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f65e98ada4f..08d6c815e7e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,8 +5,7 @@ on: workflow_dispatch: pull_request: -permissions: - contents: read +permissions: {} jobs: src_checkers: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d8b73f89a3b..4e73fff0f96 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -19,8 +19,7 @@ env: PMDK_CXX: g++ SRC_CHECKERS: 0 -permissions: - contents: read +permissions: {} jobs: in-tree: diff --git a/.github/workflows/pmem_benchmark.yml b/.github/workflows/pmem_benchmark.yml index 2b3edb97885..2882d5d266c 100644 --- a/.github/workflows/pmem_benchmark.yml +++ b/.github/workflows/pmem_benchmark.yml @@ -10,8 +10,7 @@ on: type: string default: master -permissions: - contents: read +permissions: {} jobs: prep_runtime: diff --git a/.github/workflows/pmem_ras.yml b/.github/workflows/pmem_ras.yml index 76673480f24..c4d0b4f6397 100644 --- a/.github/workflows/pmem_ras.yml +++ b/.github/workflows/pmem_ras.yml @@ -30,8 +30,7 @@ on: # run this job every 8 hours - cron: '0 */8 * * *' -permissions: - contents: read +permissions: {} jobs: linux: diff --git a/.github/workflows/pmem_test_matrix.yml b/.github/workflows/pmem_test_matrix.yml index 837f1b895f1..453585969ae 100644 --- a/.github/workflows/pmem_test_matrix.yml +++ b/.github/workflows/pmem_test_matrix.yml @@ -17,8 +17,7 @@ on: type: number default: 360 # The jobs..timeout-minutes default. -permissions: - contents: read +permissions: {} jobs: job: diff --git a/.github/workflows/pmem_tests.yml b/.github/workflows/pmem_tests.yml index 3edf3193468..b16cdd2f2d4 100644 --- a/.github/workflows/pmem_tests.yml +++ b/.github/workflows/pmem_tests.yml @@ -9,8 +9,7 @@ on: # run this job at 18:00 UTC every day - cron: '0 18 * * *' -permissions: - contents: read +permissions: {} jobs: # Test the default build with the basic test suite. diff --git a/.github/workflows/scan_bandit.yml b/.github/workflows/scan_bandit.yml index 0bfd69be9dc..12955419466 100644 --- a/.github/workflows/scan_bandit.yml +++ b/.github/workflows/scan_bandit.yml @@ -9,8 +9,7 @@ env: PMREORDER: src/tools/pmreorder/*.py CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py -permissions: - contents: read +permissions: {} jobs: bandit: diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml index 83b83d68301..1583c69e0ea 100644 --- a/.github/workflows/scan_coverage.yml +++ b/.github/workflows/scan_coverage.yml @@ -24,8 +24,7 @@ env: TEST_BUILD: debug FAULT_INJECTION: 1 -permissions: - contents: read +permissions: {} jobs: linux: diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml index 0a920d5ac92..cb6b49bb706 100644 --- a/.github/workflows/scan_coverity.yml +++ b/.github/workflows/scan_coverity.yml @@ -21,8 +21,7 @@ env: VALGRIND: 1 COVERITY: 1 -permissions: - contents: read +permissions: {} jobs: linux: diff --git a/.github/workflows/scan_documentation.yml b/.github/workflows/scan_documentation.yml index 4ced019510d..2ee91a4a26f 100644 --- a/.github/workflows/scan_documentation.yml +++ b/.github/workflows/scan_documentation.yml @@ -4,8 +4,7 @@ name: Documentation on: workflow_call: -permissions: - contents: read +permissions: {} jobs: linux: diff --git a/.github/workflows/scan_log_calls.yml b/.github/workflows/scan_log_calls.yml index 7c33b400224..12c4bf6700e 100644 --- a/.github/workflows/scan_log_calls.yml +++ b/.github/workflows/scan_log_calls.yml @@ -5,8 +5,7 @@ on: workflow_dispatch: workflow_call: -permissions: - contents: read +permissions: {} jobs: log-calls: diff --git a/.github/workflows/scan_stack_usage.yml b/.github/workflows/scan_stack_usage.yml index b82fe1004e4..416fafe24f1 100644 --- a/.github/workflows/scan_stack_usage.yml +++ b/.github/workflows/scan_stack_usage.yml @@ -8,8 +8,7 @@ on: env: CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis -permissions: - contents: read +permissions: {} jobs: stack-usage: diff --git a/.github/workflows/scan_ubsan.yml b/.github/workflows/scan_ubsan.yml index 0f4c7ef5065..9d5065143b1 100644 --- a/.github/workflows/scan_ubsan.yml +++ b/.github/workflows/scan_ubsan.yml @@ -18,8 +18,7 @@ env: UBSAN: 1 FAULT_INJECTION: 1 -permissions: - contents: read +permissions: {} jobs: linux: diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 387aff7a734..1c05ae97758 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -7,8 +7,7 @@ on: # run this job at 00:00 UTC every day - cron: '0 0 * * *' -permissions: - contents: read +permissions: {} jobs: call-bandit: diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 7c06ccdf4aa..846ba06c843 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -8,8 +8,7 @@ env: GITHUB_REPO: pmem/pmdk DOCKER_REPO: ghcr.io/pmem/pmdk -permissions: - contents: read +permissions: {} jobs: linux: From 69c2a181addc695fe1ca33d8d9e84c04e0d4446c Mon Sep 17 00:00:00 2001 From: Tomasz Gromadzki Date: Mon, 23 Sep 2024 10:58:32 +0200 Subject: [PATCH 3/3] common: SPDX header Signed-off-by: Tomasz Gromadzki --- .github/workflows/scan_coverity.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml index cb6b49bb706..326d99c550b 100644 --- a/.github/workflows/scan_coverity.yml +++ b/.github/workflows/scan_coverity.yml @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: BSD-3-Clause +# Copyright 2024, Intel Corporation # Scan the C/C++ code for vulnerabilities using Coverity. name: Coverity