Harden security of GitHub Actions CI/CD (#202)

* restrict permissions for GitHub actions This commit introduces two changes. First, the actions are changed to only have read access to repositories. Second, we specify that GitHub should not persist the authorization token for write access to a repository on disk (see the option `persist-credentials: false`). * pin action versions by SHA1 instead of git tag * remove codecov token It shouldn't be necessary for public repositories. * update git tags for GitHub actions Co-authored-by: Vincent Mutolo <[email protected]>
orion-rs · Oct 23, 2021 · bed9f4f · bed9f4f
1 parent 10b76e1
commit bed9f4f
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 39 deletions.
diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
@@ -4,30 +4,33 @@ on:
       - master
 
 name: Code coverage
+permissions:
+  contents: read
 
 jobs:
   check:
     name: Code coverage
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
 
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
 
       - name: Run cargo-tarpaulin
-        uses: actions-rs/tarpaulin@v0.1
+        uses: actions-rs/tarpaulin@60f0b12e5beec09ccca51758913f82d01889151c
         with:
           timeout: '120'
           out-type: 'Xml'
           args: '-- --test-threads 1'
 
       - name: Upload to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b
         with:
-          token: ${{secrets.CODECOV_TOKEN}}
           fail_ci_if_error: true
diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
@@ -1,4 +1,7 @@
 name: Daily tests
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 0 * * *' # Midnight of each day
@@ -14,16 +17,18 @@ jobs:
           - nightly
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: ${{ matrix.rust }}
           override: true
       - name: Run cargo test - release
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --all-features
diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
@@ -1,31 +1,36 @@
 on: [push, pull_request]
 
 name: Lints
+permissions:
+  contents: read
 
 jobs:
   lints:
     name: rustfmt and clippy
     runs-on: ubuntu-latest
     steps:
+      with:
+        persist-credentials: false
+
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
 
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: stable
           override: true
           components: rustfmt, clippy
 
       - name: Run cargo fmt
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: fmt
           args: --all -- --check
 
       - name: Run cargo clippy
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: clippy
           args: -- -D warnings
diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -1,4 +1,7 @@
 name: Security Audit
+permissions:
+  contents: read
+
 on:
   push:
     # Check immediately if dependencies are altered
@@ -14,9 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
       - name: Install stable toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
@@ -25,7 +30,7 @@ jobs:
         run: cargo install cargo-audit
 
       - name: Run cargo audit
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: audit
           args: --deny warnings
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,6 +11,8 @@ on:
 # NOTE: Should we use fail-fast: false?
 
 name: Tests
+permissions:
+  contents: read
 
 jobs:
   test:
@@ -29,17 +31,19 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           profile: minimal
           toolchain: ${{ matrix.rust }}
           override: true
 
       - name: Test debug-mode, default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
 
@@ -50,19 +54,19 @@ jobs:
           args: --features serde
 
       - name: Test debug-mode, no default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --no-default-features --tests
 
       - name: Test debug-mode, alloc feature
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --no-default-features --features alloc --tests
 
       - name: Test release-mode, default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release
@@ -74,13 +78,13 @@ jobs:
           args: --release --features serde
 
       - name: Test release-mode, no default features
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --no-default-features --tests
 
       - name: Test release-mode, alloc feature
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: test
           args: --release --no-default-features --features alloc --tests
@@ -91,10 +95,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v2
+        uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: nightly
           target: x86_64-unknown-linux-gnu
@@ -114,14 +120,16 @@ jobs:
           - stable
           - nightly
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions-rs/toolchain@v1
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+      with:
+        persist-credentials: false
+    - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
       with:
         profile: minimal
         toolchain: ${{ matrix.rust }}
         target: thumbv7em-none-eabi
         override: true
-    - uses: actions-rs/cargo@v1
+    - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
       with:
         use-cross: true
         command: build
@@ -137,13 +145,15 @@ jobs:
           - armv7-unknown-linux-gnueabihf
           - mips64-unknown-linux-gnuabi64
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           target: ${{ matrix.arch }}
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           use-cross: true
           command: test
@@ -159,13 +169,15 @@ jobs:
         arch:
           - wasm32-unknown-unknown
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           target: ${{ matrix.arch }}
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: check
           args: --no-default-features --target ${{ matrix.arch }}
@@ -174,12 +186,14 @@ jobs:
     name: Build documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+        with:
+          persist-credentials: false
+      - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f
         with:
           toolchain: stable
           override: true
-      - uses: actions-rs/cargo@v1
+      - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b
         with:
           command: doc
           args: --no-deps --all-features
@@ -196,7 +210,9 @@ jobs:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
 
     steps:
-    - uses: actions/checkout@v2
-    - uses: EmbarkStudios/cargo-deny-action@v1
+    - uses: actions/checkout@1e204e9a9253d643386038d443f96446fa156a97
+      with:
+        persist-credentials: false
+    - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
       with:
         command: check ${{ matrix.checks }}