[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-04-16 18:45:10 +00:00
parent 09d08593ed
commit df80079476
14 changed files with 222 additions and 34 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
--- a/.github/workflows/CI_cleanup.yml
+++ b/.github/workflows/CI_cleanup.yml
@@ -57,6 +57,11 @@ jobs:
    env:
      logdir: /tmp/log/
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Make needed directories
        run: |
          mkdir -p ${{ env.logdir }}
@@ -103,7 +108,7 @@ jobs:
          done
      - name: Upload logs
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ github.job }}-Logs
          path: |
--- a/.github/workflows/auto-close_stale_issues_and_pull-requests.yml
+++ b/.github/workflows/auto-close_stale_issues_and_pull-requests.yml
@@ -20,9 +20,14 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: '🧹 Tag & close stale unconfirmed bugs'
        id: stale_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -49,7 +54,7 @@ jobs:

      - name: '🧹 Close stale requested feedback issues'
        id: awaiting_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -77,7 +82,7 @@ jobs:

      - name: '🧹 Tag & close inactive issues'
        id: inactive_issues
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
@@ -108,7 +113,7 @@ jobs:

      - name: '🧹 Tag & close inactive PRs'
        id: inactive_pr
-        uses: actions/stale@v9.1.0
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: -1
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4
--- a/.github/workflows/issue-metrics.yml
+++ b/.github/workflows/issue-metrics.yml
@@ -16,6 +16,11 @@ jobs:

    steps:

+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
    - name: Get dates for last month
      shell: bash
      run: |
@@ -30,13 +35,13 @@ jobs:
        echo "last_month=$first_day..$last_day" >> "$GITHUB_ENV"

    - name: Run issue-metrics tool
-      uses: github/issue-metrics@v3
+      uses: github/issue-metrics@4f29f34d9d831fe224cbc6c8a0d711415ebd01b1 # v3.1.1
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        SEARCH_QUERY: 'repo:FreeCAD/FreeCAD is:issue created:${{ env.last_month }}'

    - name: Create issue
-      uses: peter-evans/create-issue-from-file@v4
+      uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # v4.0.1
      with:
        title: Monthly issue metrics report
        token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,6 +9,9 @@ on:
  pull_request_target:
    types: [opened, reopened]

+permissions:
+  contents: read
+
 jobs:
  label:
    runs-on: ubuntu-latest
@@ -17,7 +20,12 @@ jobs:
      pull-requests: write

    steps:
-    - uses: actions/labeler@v5
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"
        configuration-path: ".github/labels.yml"
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -0,0 +1,81 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+      # To allow GraphQL ListCommits to work
+      issues: read
+      pull-requests: read
+      # To detect SAST tools
+      checks: read
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        with:
+          sarif_file: results.sarif
--- a/.github/workflows/sub_buildPixi.yml
+++ b/.github/workflows/sub_buildPixi.yml
@@ -69,6 +69,11 @@ jobs:
        os: [windows-latest, ubuntu-latest, macos-latest]

    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
    - name: Set Platform Environment Variables
      shell: bash -l {0}
      env:
@@ -81,7 +86,7 @@ jobs:
        fi

    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

    - name: Add GCC Problem Matcher
      if: runner.os == 'Linux'
@@ -106,13 +111,13 @@ jobs:
        mkdir -p ${{ env.reportdir }}
        echo "reportFile=${{ env.reportfilename }}" >> $GITHUB_OUTPUT

-    - uses: prefix-dev/setup-pixi@v0.8.7
+    - uses: prefix-dev/setup-pixi@5044b250243a57e8c78f7c38acd73f6d7954a3cf # v0.8.7
      with:
        pixi-version: v0.45.0
        cache: false

    - name: Restore Compiler Cache
-      uses: actions/cache/restore@v4
+      uses: actions/cache/restore@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: ${{ env.CCACHE_DIR }}
        key: FC-${{ env.cacheKey }}-${{ github.ref }}-${{ github.run_id }}
@@ -195,14 +200,14 @@ jobs:

    - name: Save Compiler Cache
      if: always()
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
      with:
        path: ${{ env.CCACHE_DIR }}
        key: FC-${{ env.cacheKey }}-${{ github.ref }}-${{ github.run_id }}

    - name: Upload logs
      if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: ${{ inputs.artifactBasename }}-${{ matrix.os }}-Logs
        path: |
@@ -211,7 +216,7 @@ jobs:

    - name: Upload report
      if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
      with:
        name: ${{ env.reportfilename }}
        path: |
--- a/.github/workflows/sub_buildUbuntu.yml
+++ b/.github/workflows/sub_buildUbuntu.yml
@@ -71,8 +71,13 @@ jobs:
      reportFile: ${{ steps.Init.outputs.reportFile }}

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Checking out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true
      - name: Install FreeCAD dependencies
@@ -94,7 +99,7 @@ jobs:
          compiler: ${{ env.CXX }}
          qt_major_version: 5
      - name: Restore Compiler Cache
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          save-always: true
          path: ${{ env.CCACHE_DIR }}
@@ -108,7 +113,7 @@ jobs:
          ccache -z
          ccache -p
      - name: Install cmake
-        uses: jwlawson/actions-setup-cmake@v2
+        uses: jwlawson/actions-setup-cmake@802fa1a2c4e212495c05bf94dba2704a92a472be # v2.0.2
        with:
          cmake-version: '3.31.6'
      - name: CMake Configure
@@ -179,7 +184,7 @@ jobs:
          reportFile: ${{env.reportdir}}${{ env.reportfilename }}
      - name: Upload logs
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ inputs.artifactBasename }}-Logs
          path: |
@@ -187,7 +192,7 @@ jobs:
            /var/crash/*FreeCAD*
      - name: Upload report
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ env.reportfilename }}
          path: |
--- a/.github/workflows/sub_buildWindows.yml
+++ b/.github/workflows/sub_buildWindows.yml
@@ -62,8 +62,13 @@ jobs:
      reportFile: ${{ steps.Init.outputs.reportFile }}

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Checking out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true
      - name: Make needed directories, files and initializations
@@ -85,7 +90,7 @@ jobs:
        with:
          libpackdir: ${{ env.libpackdir }}
      - name: Restore compiler cache
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          save-always: true
          path: ${{ env.CCACHE_DIR }}
@@ -99,7 +104,7 @@ jobs:
          . $env:ccachebindir\ccache -z
          . $env:ccachebindir\ccache -p
      - name: Install cmake
-        uses: jwlawson/actions-setup-cmake@v2
+        uses: jwlawson/actions-setup-cmake@802fa1a2c4e212495c05bf94dba2704a92a472be # v2.0.2
        with:
          cmake-version: '3.31.6'
      - name: Configuring CMake
@@ -115,7 +120,7 @@ jobs:
          -DFREECAD_COPY_LIBPACK_BIN_TO_BUILD=ON
          -DFREECAD_COPY_PLUGINS_BIN_TO_BUILD=ON
      - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
+        uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
      - name: Compiling sources
        run: |
          cd $env:builddir
@@ -133,7 +138,7 @@ jobs:
          . ${{ env.builddir }}\bin\FreeCADCmd -t 0 # 2>&1 | tee -filepath ${{ env.logdir }}\integrationTests.log
      - name: Upload logs
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ inputs.artifactBasename }}-Logs
          path: |
--- a/.github/workflows/sub_lint.yml
+++ b/.github/workflows/sub_lint.yml
@@ -168,6 +168,9 @@ on:
      reportFile:
        value: ${{ jobs.Lint.outputs.reportFile }}

+permissions:
+  contents: read
+
 jobs:

  Lint:
@@ -185,8 +188,13 @@ jobs:
      reportFile: ${{ steps.Init.outputs.reportFile }}

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          submodules: true

@@ -335,7 +343,7 @@ jobs:

      - name: Upload logs and fixes
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ inputs.artifactBasename }}-Logs
          path: |
@@ -344,7 +352,7 @@ jobs:

      - name: Upload report
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ env.reportfilename }}
          path: |
--- a/.github/workflows/sub_prepare.yml
+++ b/.github/workflows/sub_prepare.yml
@@ -71,6 +71,11 @@ jobs:
      changedCppFiles: ${{ steps.Output.outputs.changedCppFiles }}

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Make needed directories, files and initializations
        id: Init
        run: |
@@ -148,14 +153,14 @@ jobs:
          echo "" >> $GITHUB_OUTPUT
      - name: Upload logs
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ inputs.artifactBasename }}-Logs
          path: |
            ${{ env.logdir }}
      - name: Upload report
        if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ env.reportfilename }}
          path: |
--- a/.github/workflows/sub_weeklyBuild.yml
+++ b/.github/workflows/sub_weeklyBuild.yml
@@ -12,7 +12,12 @@ jobs:
    outputs:
      build_tag: ${{ steps.tag_build.outputs.build_tag }}
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
          submodules: 'recursive'
@@ -59,6 +64,11 @@ jobs:
    runs-on: ${{ matrix.os }}
    environment: weekly-build
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Set Platform Environment Variables
        shell: bash -l {0}
        env:
@@ -71,13 +81,13 @@ jobs:
            echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true
          submodules: 'recursive'

-      - uses: prefix-dev/setup-pixi@v0.8.3
+      - uses: prefix-dev/setup-pixi@92815284c57faa15cd896c4d5cfb2d59f32dc43d # v0.8.3
        with:
          pixi-version: v0.42.1
          cache: false
--- a/.github/workflows/sub_wrapup.yml
+++ b/.github/workflows/sub_wrapup.yml
@@ -39,6 +39,9 @@ on:
        type: string
        required: true

+permissions:
+  contents: read
+
 jobs:

  WrapUp:
@@ -50,11 +53,16 @@ jobs:
        shell: bash

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Make needed directories, files and initializations
        run: |
          mkdir -p ${{ env.artifactsDownloadDir }}
      - name: Download artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
        with:
          path: ${{ env.artifactsDownloadDir }}
      - name: Save input data to file
@@ -111,7 +119,7 @@ jobs:
          cat report.md >> $GITHUB_STEP_SUMMARY
      - name: Delete used artifacts
        continue-on-error: true
-        uses: geekyeggo/delete-artifact@v5
+        uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
        with:
          name: |
            ${{ env.usedArtifacts }}