diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml index 812c0e93c4..c5b5a78ee9 100644 --- a/.github/workflows/make-release.yml +++ b/.github/workflows/make-release.yml @@ -30,7 +30,7 @@ jobs: npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that diff --git a/.github/workflows/measure-packages-size.yml b/.github/workflows/measure-packages-size.yml index 58d6c2df3d..e8b15b3480 100644 --- a/.github/workflows/measure-packages-size.yml +++ b/.github/workflows/measure-packages-size.yml @@ -31,7 +31,7 @@ jobs: with: ref: ${{ steps.extract_PR_details.outputs.headSHA }} - name: Packages size report - uses: flochaz/pkg-size-action@v2.0.0 + uses: flochaz/pkg-size-action@e41584e9396375027c8a3c68909e3eca55719e47 # v.2.0.0 with: build-command: mkdir dist && npm run package -w packages/logger -w packages/tracer -w packages/metrics -w packages/commons -w packages/parameters && npm run package-bundle -w packages/logger -w packages/tracer -w packages/metrics -w packages/commons -w packages/parameters && bash -c "mv ./packages/*/dist/* dist/" && ls dist dist-directory: /dist diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml index e062ff447f..71567ad1cb 100644 --- a/.github/workflows/on-merge-to-main.yml +++ b/.github/workflows/on-merge-to-main.yml @@ -28,7 +28,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Update release draft - uses: release-drafter/release-drafter@v5.20.0 + uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} release_label_on_merge: diff --git a/.github/workflows/on-workflows-push-pr.yml b/.github/workflows/on-workflows-push-pr.yml new file mode 100644 index 0000000000..8664c52c81 --- /dev/null +++ b/.github/workflows/on-workflows-push-pr.yml @@ -0,0 +1,32 @@ +name: Lockdown untrusted workflows + +on: + push: + paths: + - ".github/workflows/**" + pull_request: + paths: + - ".github/workflows/**" + +jobs: + enforce_pinned_workflows: + name: Harden Security + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Ensure 3rd party workflows have SHA pinned + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b9ddf6a5153efe6fb94f071c8915175afdce60fa # v2.1.0 + with: + # Trusted GitHub Actions and/or organizations + allowlist: | + aws-actions/ + actions/checkout + actions/github-script + actions/setup-node + actions/setup-python + actions/upload-artifact + actions/download-artifact + github/codeql-action/init + github/codeql-action/analyze + dependabot/fetch-metadata \ No newline at end of file diff --git a/.github/workflows/publish_layer.yaml b/.github/workflows/publish_layer.yml similarity index 98% rename from .github/workflows/publish_layer.yaml rename to .github/workflows/publish_layer.yml index 0f3968dba8..ae5c4bc2c0 100644 --- a/.github/workflows/publish_layer.yaml +++ b/.github/workflows/publish_layer.yml @@ -47,7 +47,7 @@ jobs: echo "RELEASE_TAG_VERSION=${RELEASE_TAG_VERSION:1}" >> $GITHUB_ENV - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that diff --git a/.github/workflows/reusable-publish-docs.yml b/.github/workflows/reusable-publish-docs.yml index 6c1990a0bb..e64d6e92f3 100644 --- a/.github/workflows/reusable-publish-docs.yml +++ b/.github/workflows/reusable-publish-docs.yml @@ -50,7 +50,7 @@ jobs: # if one of them changes the cache is invalidated/discarded - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" key: 18-cache-utils-node-modules-${{ hashFiles('./package-lock.json') }} diff --git a/.github/workflows/reusable-run-linting-check-and-unit-tests.yml b/.github/workflows/reusable-run-linting-check-and-unit-tests.yml index c0280cd34e..1d54928957 100644 --- a/.github/workflows/reusable-run-linting-check-and-unit-tests.yml +++ b/.github/workflows/reusable-run-linting-check-and-unit-tests.yml @@ -24,7 +24,7 @@ jobs: run: npm i -g npm@next-8 - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that @@ -68,7 +68,7 @@ jobs: cache: "npm" - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./examples/${{ matrix.example }}/node_modules" # Use the combo between example, name, and SHA-256 hash of all example lock files as cache key. @@ -98,7 +98,7 @@ jobs: cache: "npm" - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that @@ -133,7 +133,7 @@ jobs: run: npm i -g npm@next-8 - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml index 380c3b22ad..865e0a493f 100644 --- a/.github/workflows/reusable_deploy_layer_stack.yml +++ b/.github/workflows/reusable_deploy_layer_stack.yml @@ -62,7 +62,7 @@ jobs: - name: checkout uses: actions/checkout@v3 - name: aws credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 with: aws-region: ${{ matrix.region }} role-to-assume: ${{ secrets.target-account-role }} @@ -72,7 +72,7 @@ jobs: node-version: "18" - name: Cache node modules id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index ff56739b19..dffe8073c7 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -52,7 +52,7 @@ jobs: # See https://github.com/npm/cli/issues/4475 to see why --foreground-scripts run: npm ci --foreground-scripts - name: Setup AWS credentials - uses: aws-actions/configure-aws-credentials@v1.6.1 + uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 with: role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }} aws-region: eu-west-1 @@ -98,13 +98,13 @@ jobs: - name: Setup npm run: npm i -g npm@next-8 - name: "Configure AWS credentials" - uses: aws-actions/configure-aws-credentials@v1.6.1 + uses: aws-actions/configure-aws-credentials@186395a8644e48f35e7b453e8a7128d9a3948296 with: role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }} aws-region: eu-west-1 - name: Cache node modules for commons id: cache-node-modules - uses: actions/cache@v3 + uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6 with: path: "./node_modules" # Use the combo between node version, name, and SHA-256 hash of the lock file as cache key so that