chore(ci): lockdown 3rd party workflows to pin sha (#1301)

* chore(ci): enforce 3rd party workflows to use sha

* fix(ci): pin 3rd party workflows

* chore(ci): upgrade checkout@v2 to @V3

.github/workflows/publish.yml

@@ -93,14 +93,14 @@ jobs:
           make release-docs VERSION=${RELEASE_TAG_VERSION} ALIAS="latest"
           poetry run mike set-default --push latest
       - name: Release API docs to release version
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api
           keep_files: true
           destination_dir: ${{ env.RELEASE_TAG_VERSION }}/api
       - name: Release API docs to latest
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api

.github/workflows/publish_layer.yml

@@ -12,11 +12,10 @@ on:
         default: "v1.22.0"
         required: true
   workflow_run:
-    workflows: [ "Publish to PyPi" ]
+    workflows: ["Publish to PyPi"]
     types:
       - completed
 
-
 jobs:
   build-layer:
     runs-on: ubuntu-latest
@@ -25,16 +24,16 @@ jobs:
         working-directory: ./layer
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: '16.12'
+          node-version: "16.12"
       - name: Setup python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.9'
-          cache: 'pip'
+          python-version: "3.9"
+          cache: "pip"
       - name: Set release notes tag
         run: |
           RELEASE_INPUT=${{ inputs.latest_published_version }}

.github/workflows/python_build.yml

@@ -49,11 +49,10 @@ jobs:
       - name: Complexity baseline
         run: make complexity-baseline
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3.1.0
+        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 3.1.0
         with:
           file: ./coverage.xml
           # flags: unittests
           env_vars: OS,PYTHON
           name: aws-lambda-powertools-python-codecov
           # fail_ci_if_error: true  # failing more consistently making CI unreliable despite all tests above passing
-          token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/python_docs.yml

@@ -27,7 +27,7 @@ jobs:
           python-version: "3.8"
       # Maintenance: temporarily until we drop Python 3.6 and make cfn-lint a dev dependency
       - name: Setup Cloud Formation Linter with Latest Version
-        uses: scottbrenner/cfn-lint-action@v2
+        uses: scottbrenner/cfn-lint-action@ee9ee62016ef62c5fd366e6be920df4b310ed353 # v2.2.4
       - name: Install dependencies
         run: make dev
       - name: Lint documentation
@@ -41,7 +41,7 @@ jobs:
       - name: Build docs website and API reference
         run: make release-docs VERSION="develop" ALIAS="stage"
       - name: Deploy all docs
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api

.github/workflows/rebuild_latest_docs.yml

@@ -49,14 +49,14 @@ jobs:
           make release-docs VERSION=${RELEASE_TAG_VERSION} ALIAS="latest"
           poetry run mike set-default --push latest
       - name: Release API docs to release version
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api
           keep_files: true
           destination_dir: ${{ env.RELEASE_TAG_VERSION }}/api
       - name: Release API docs to latest
-        uses: peaceiris/actions-gh-pages@v3
+        uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # v3.8.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./api

.github/workflows/release-drafter.yml

@@ -2,7 +2,6 @@ name: Release Drafter
 
 on:
   push:
-    # branches to consider in the event; optional, defaults to all
     branches:
       - develop
   workflow_dispatch:
@@ -11,6 +10,6 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@ac463ffd9cc4c6ad5682af93dc3e3591c4657ee3 # v5.20.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/reusable_deploy_layer_stack.yml

@@ -26,33 +26,31 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        region: [
-          "af-south-1",
-          #          "eu-central-1",
-          #          "us-east-1",
-          #          "us-east-2",
-          #          "us-west-1",
-          #          "us-west-2",
-          #          "ap-east-1",
-          #          "ap-south-1",
-          #          "ap-northeast-1",
-          #          "ap-northeast-2",
-          #          "ap-southeast-1",
-          #          "ap-southeast-2",
-          #          "ca-central-1",
-          #          "eu-west-1",
-          #          "eu-west-2",
-          #          "eu-west-3",
-          #          "eu-south-1",
-          #          "eu-north-1",
-          #          "sa-east-1",
-          #          "ap-southeast-3",
-          #          "ap-northeast-3",
-          #          "me-south-1"
-        ]
+        region: ["af-south-1"]
+    #          "eu-central-1",
+    #          "us-east-1",
+    #          "us-east-2",
+    #          "us-west-1",
+    #          "us-west-2",
+    #          "ap-east-1",
+    #          "ap-south-1",
+    #          "ap-northeast-1",
+    #          "ap-northeast-2",
+    #          "ap-southeast-1",
+    #          "ap-southeast-2",
+    #          "ca-central-1",
+    #          "eu-west-1",
+    #          "eu-west-2",
+    #          "eu-west-3",
+    #          "eu-south-1",
+    #          "eu-north-1",
+    #          "sa-east-1",
+    #          "ap-southeast-3",
+    #          "ap-northeast-3",
+    #          "me-south-1"
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: aws credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -61,12 +59,12 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
-          node-version: '16.12'
+          node-version: "16.12"
       - name: Setup python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.9'
-          cache: 'pip'
+          python-version: "3.9"
+          cache: "pip"
       - name: install cdk and deps
         run: |
           npm install -g [email protected]

.github/workflows/secure_workflows.yml

@@ -0,0 +1,32 @@
+name: Lockdown untrusted workflows
+
+on:
+  push:
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  enforce_pinned_workflows:
+    name: Harden Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Ensure 3rd party workflows have SHA pinned
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6ca5574367befbc9efdb2fa25978084159c5902d # v1.3.0
+        with:
+          # Trusted GitHub Actions and/or organizations
+          allowlist: |
+            aws-actions/
+            actions/checkout
+            actions/github-script
+            actions/setup-node
+            actions/setup-python
+            actions/upload-artifact
+            actions/download-artifact
+            github/codeql-action/init
+            github/codeql-action/analyze
+            dependabot/fetch-metadata