diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 000000000..cb8f98321 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2025 Contributors to the OpenSTEF project +# +# SPDX-License-Identifier: MPL-2.0 + +# Require review from maintainers for CI/CD workflow changes +.github/workflows/ @OpenSTEF/openstef-maintainers +.github/CODEOWNERS @OpenSTEF/openstef-maintainers diff --git a/.github/workflows/black-format-code.yml b/.github/workflows/black-format-code.yml index 8bf7008c5..255c6e0ec 100644 --- a/.github/workflows/black-format-code.yml +++ b/.github/workflows/black-format-code.yml @@ -15,6 +15,8 @@ name: Black Format Code on: [pull_request] +permissions: {} + jobs: build: @@ -30,14 +32,14 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check formatting using black - uses: rickstaa/action-black@v1 + uses: rickstaa/action-black@d86849e16a3c498947d70be55198feb86d5d4f53 # v1 id: action_black with: black_args: "." - name: Annotate diff changes using reviewdog if: steps.action_black.outputs.is_formatted == 'true' - uses: reviewdog/action-suggester@v1 + uses: reviewdog/action-suggester@aa38384ceb608d00f84b4690cacc83a5aba307ff # v1 with: tool_name: blackfmt diff --git a/.github/workflows/citations.yaml b/.github/workflows/citations.yaml index 8809b15a1..477d32aef 100644 --- a/.github/workflows/citations.yaml +++ b/.github/workflows/citations.yaml @@ -25,14 +25,17 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }}-citations cancel-in-progress: true +permissions: + contents: read + jobs: validate-citations: runs-on: ubuntu-24.04 steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install R run: | sudo apt-get update && sudo apt-get install -y r-base - name: Validate CITATION.cff - uses: dieghernan/cff-validator@v4 + uses: dieghernan/cff-validator@114aae53e1850c3757733beb60036941900e3dc3 # v4 diff --git a/.github/workflows/docs-check.yaml b/.github/workflows/docs-check.yaml index 599bde583..1bd8ec12c 100644 --- a/.github/workflows/docs-check.yaml +++ b/.github/workflows/docs-check.yaml @@ -13,16 +13,19 @@ on: branches: - "**" +permissions: + contents: read + jobs: docs: runs-on: ubuntu-latest steps: # Checkout - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Setup python version - - uses: actions/setup-python@v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' diff --git a/.github/workflows/docs-publish.yaml b/.github/workflows/docs-publish.yaml index 04404df8c..f644f0ea5 100644 --- a/.github/workflows/docs-publish.yaml +++ b/.github/workflows/docs-publish.yaml @@ -18,13 +18,13 @@ jobs: contents: write steps: - - uses: actions/setup-python@v5 - - uses: actions/checkout@master + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # otherwise, you will fail to push refs to dest repo # Setup python version - - uses: actions/setup-python@v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' # Run pre-build command @@ -38,12 +38,12 @@ jobs: sphinx-apidoc -o docs openstef - name: Build and commit - uses: sphinx-notes/pages@v2 + uses: sphinx-notes/pages@54521400a4021e1c33be0966ae543ce8c8dd1a13 # v2 with: requirements_path: ./docs/requirements.txt - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa # v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} branch: gh-pages diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml index 7412f27a5..7aa7c2f9a 100644 --- a/.github/workflows/pr-labeler.yaml +++ b/.github/workflows/pr-labeler.yaml @@ -14,7 +14,7 @@ jobs: pull-requests: write # To add labels runs-on: ubuntu-latest steps: - - uses: TimonVS/pr-labeler-action@v5 + - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af # v5 with: configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value env: diff --git a/.github/workflows/python-build.yaml b/.github/workflows/python-build.yaml index 138d255fa..f182e9edd 100644 --- a/.github/workflows/python-build.yaml +++ b/.github/workflows/python-build.yaml @@ -9,6 +9,9 @@ on: branches: - main +permissions: + contents: read + jobs: build: name: Python Build @@ -20,17 +23,17 @@ jobs: steps: # Checkout - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Setup - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }} # Restore - name: Restore pip cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: # This path is specific to Ubuntu path: ~/.cache/pip diff --git a/.github/workflows/python-upload-package.yaml b/.github/workflows/python-upload-package.yaml index 7ea14b914..4352bd27b 100644 --- a/.github/workflows/python-upload-package.yaml +++ b/.github/workflows/python-upload-package.yaml @@ -17,6 +17,9 @@ on: required: true default: "" +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest @@ -28,10 +31,10 @@ jobs: steps: # Checkout - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Setup - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.x' # Set version from release tag @@ -64,4 +67,4 @@ jobs: - name: Build run: python setup.py sdist bdist_wheel - name: Publish - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 diff --git a/.github/workflows/release-v4.yaml b/.github/workflows/release-v4.yaml index 6479e85ff..650d4d49d 100644 --- a/.github/workflows/release-v4.yaml +++ b/.github/workflows/release-v4.yaml @@ -36,12 +36,12 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 show-progress: false - name: Install uv - uses: astral-sh/setup-uv@v6 + uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 with: activate-environment: true enable-cache: true diff --git a/.github/workflows/reuse-compliance.yaml b/.github/workflows/reuse-compliance.yaml index 0bc87a2eb..fd2d20115 100644 --- a/.github/workflows/reuse-compliance.yaml +++ b/.github/workflows/reuse-compliance.yaml @@ -6,13 +6,16 @@ name: REUSE Compliance Check on: - push +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: # Checkout - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Reuse - name: REUSE Compliance Check - uses: fsfe/reuse-action@v1 + uses: fsfe/reuse-action@28cf8f33bc50f4c306f52e38fe3826717dea63dc # v1 diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 560fb39c5..a2a621f42 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -47,22 +47,21 @@ jobs: Analysis: runs-on: ubuntu-latest steps: - # Checkout main to get access to the SONAR_TOKEN. PR from forked repo does not have access to it. - - uses: actions/checkout@v4 + # SECURITY NOTE: This checks out code from the PR author's fork in a + # privileged workflow_run context (which has access to SONAR_TOKEN). + # Only the SonarScanner (a read-only static analyzer) runs on this code. + # Do NOT add build/install/script steps that execute checked-out code here. + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: repository: ${{ github.event.workflow_run.head_repository.full_name }} ref: ${{ github.event.workflow_run.head_branch }} fetch-depth: 0 - - name: Analyze with SonarCloud + - name: Analyze with SonarQube Cloud if: ${{ github.actor != 'dependabot[bot]' }} - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@v2.2.0 - uses: SonarSource/sonarcloud-github-action@master + uses: SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9 # v7.0.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} with: - # Additional arguments for the SonarScanner CLI args: > -Dsonar.projectKey=OpenSTEF_openstef -Dsonar.organization=openstef