Skip to content

GitHub Actions: reduce permissions #1322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 17, 2023
Merged

GitHub Actions: reduce permissions #1322

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
93c082c
Fix leading whitespace
bkoelman Sep 17, 2023
f55da1f
GitHub Actions: Reduce permissions to guard against malicious 3rd par…
bkoelman Sep 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
168 changes: 87 additions & 81 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ jobs:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Setup PostgreSQL
uses: ikalnytskyi/action-setup-postgres@v4
Expand Down Expand Up @@ -146,93 +148,97 @@ jobs:
path: docs/_site

inspect-code:
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Git checkout
uses: actions/checkout@v3
- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Restore tools
run: |
dotnet tool restore
- name: InspectCode
shell: pwsh
run: |
$inspectCodeOutputPath = Join-Path $env:RUNNER_TEMP 'jetbrains-inspectcode-results.xml'
Write-Output "INSPECT_CODE_OUTPUT_PATH=$inspectCodeOutputPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
dotnet jb inspectcode JsonApiDotNetCore.sln --build --output="$inspectCodeOutputPath" --profile=WarningSeverities.DotSettings --properties:Configuration=Release --properties:ContinuousIntegrationBuild=false --severity=WARNING --verbosity=WARN -dsl=GlobalAll -dsl=GlobalPerProduct -dsl=SolutionPersonal -dsl=ProjectPersonal
- name: Verify outcome
shell: pwsh
run: |
[xml]$xml = Get-Content $env:INSPECT_CODE_OUTPUT_PATH
if ($xml.report.Issues -and $xml.report.Issues.Project) {
foreach ($project in $xml.report.Issues.Project) {
if ($project.Issue.Count -gt 0) {
$project.ForEach({
Write-Output "`nProject $($project.Name)"
$failed = $true
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Git checkout
uses: actions/checkout@v3
- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Restore tools
run: |
dotnet tool restore
- name: InspectCode
shell: pwsh
run: |
$inspectCodeOutputPath = Join-Path $env:RUNNER_TEMP 'jetbrains-inspectcode-results.xml'
Write-Output "INSPECT_CODE_OUTPUT_PATH=$inspectCodeOutputPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
dotnet jb inspectcode JsonApiDotNetCore.sln --build --output="$inspectCodeOutputPath" --profile=WarningSeverities.DotSettings --properties:Configuration=Release --properties:ContinuousIntegrationBuild=false --severity=WARNING --verbosity=WARN -dsl=GlobalAll -dsl=GlobalPerProduct -dsl=SolutionPersonal -dsl=ProjectPersonal
- name: Verify outcome
shell: pwsh
run: |
[xml]$xml = Get-Content $env:INSPECT_CODE_OUTPUT_PATH
if ($xml.report.Issues -and $xml.report.Issues.Project) {
foreach ($project in $xml.report.Issues.Project) {
if ($project.Issue.Count -gt 0) {
$project.ForEach({
Write-Output "`nProject $($project.Name)"
$failed = $true

$_.Issue.ForEach({
$issueType = $xml.report.IssueTypes.SelectSingleNode("IssueType[@Id='$($_.TypeId)']")
$severity = $_.Severity ?? $issueType.Severity
$_.Issue.ForEach({
$issueType = $xml.report.IssueTypes.SelectSingleNode("IssueType[@Id='$($_.TypeId)']")
$severity = $_.Severity ?? $issueType.Severity

Write-Output "[$severity] $($_.File):$($_.Line) $($_.TypeId): $($_.Message)"
})
})
}
}
Write-Output "[$severity] $($_.File):$($_.Line) $($_.TypeId): $($_.Message)"
})
})
}
}

if ($failed) {
Write-Error "One or more projects failed code inspection."
}
}
if ($failed) {
Write-Error "One or more projects failed code inspection."
}
}

cleanup-code:
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Git checkout
uses: actions/checkout@v3
with:
fetch-depth: 2
- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Restore tools
run: |
dotnet tool restore
- name: Restore packages
run: |
dotnet restore
- name: CleanupCode (on PR diff)
if: github.event_name == 'pull_request'
shell: pwsh
run: |
# Not using the environment variables for SHAs, because they may be outdated. This may happen on force-push after the build is queued, but before it starts.
# The below works because HEAD is detached (at the merge commit), so HEAD~1 is at the base branch. When a PR contains no commits, this job will not run.
$headCommitHash = git rev-parse HEAD
$baseCommitHash = git rev-parse HEAD~1
timeout-minutes: 60
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
runs-on: ${{ matrix.os }}
permissions:
contents: read
steps:
- name: Git checkout
uses: actions/checkout@v3
with:
fetch-depth: 2
- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Restore tools
run: |
dotnet tool restore
- name: Restore packages
run: |
dotnet restore
- name: CleanupCode (on PR diff)
if: github.event_name == 'pull_request'
shell: pwsh
run: |
# Not using the environment variables for SHAs, because they may be outdated. This may happen on force-push after the build is queued, but before it starts.
# The below works because HEAD is detached (at the merge commit), so HEAD~1 is at the base branch. When a PR contains no commits, this job will not run.
$headCommitHash = git rev-parse HEAD
$baseCommitHash = git rev-parse HEAD~1

Write-Output "Running code cleanup on commit range $baseCommitHash..$headCommitHash in pull request."
dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --max-runs=5 --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN -f commits -a $headCommitHash -b $baseCommitHash --fail-on-diff --print-diff
- name: CleanupCode (on branch)
if: github.event_name == 'push'
shell: pwsh
run: |
Write-Output "Running code cleanup on all files."
dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN --fail-on-diff --print-diff
Write-Output "Running code cleanup on commit range $baseCommitHash..$headCommitHash in pull request."
dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --max-runs=5 --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN -f commits -a $headCommitHash -b $baseCommitHash --fail-on-diff --print-diff
- name: CleanupCode (on branch)
if: github.event_name == 'push'
shell: pwsh
run: |
Write-Output "Running code cleanup on all files."
dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN --fail-on-diff --print-diff

publish:
timeout-minutes: 60
Expand Down