From 4b2edc68cad81ec617602e182e7121cbe4f9b722 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Svensson?= Date: Fri, 12 Apr 2024 17:24:22 +0200 Subject: [PATCH] Set permissions for Github Actions in CI (#312) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This sets the default permission for current CI workflows to only be able to read from the repository (scope: "contents"). When a used Github Action require additional permissions (like CodeQL) we grant that permission on job-level instead. This means that a compromised action will not be able to modify the repo or even steal secrets since all other permission-scopes are implicit set to "none", i.e. not permitted. This is recommended by [OpenSSF](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions). This PR includes a small fix for the possibility of missing server logs artifacts, found while verifying the permission. The `upload-artifact@v3` action will replace artifacts which already exists. Since both CI-jobs `test-external-standalone` and `test-external-nodebug` uses the same artifact name, when both jobs fail, we only get logs from the last finished job. This can be avoided by using unique artifact names. This PR is part of #211 More about permissions and scope can be found here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions --------- Signed-off-by: Björn Svensson --- .github/workflows/ci.yml | 3 ++ .github/workflows/codeql-analysis.yml | 7 ++++- .github/workflows/coverity.yml | 33 ++++++++++++++++++++++ .github/workflows/daily.yml | 2 ++ .github/workflows/external.yml | 9 ++++-- .github/workflows/reply-schemas-linter.yml | 3 ++ .github/workflows/spell-check.yml | 3 ++ 7 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/coverity.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fefd8f41a..14c7e5f09 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,9 @@ name: CI on: [push, pull_request] +permissions: + contents: read + jobs: test-ubuntu-latest: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index dc7413e59..02955f300 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,11 +6,16 @@ on: # run weekly new vulnerability was added to the database - cron: '0 0 * * 0' +permissions: + contents: read + jobs: analyze: name: Analyze runs-on: ubuntu-latest - if: github.event_name != 'schedule' || github.repository == 'redis/redis' + if: github.event_name != 'schedule' || github.repository == 'valkey-io/valkey' + permissions: + security-events: write strategy: fail-fast: false diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 000000000..d63ba6ab5 --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,33 @@ +# Creates and uploads a Coverity build on a schedule +name: Coverity Scan +on: + schedule: + # Run once daily, since below 500k LOC can have 21 builds per week, per https://scan.coverity.com/faq#frequency + - cron: '0 0 * * *' + # Support manual execution + workflow_dispatch: +permissions: + contents: read +jobs: + coverity: + if: github.repository == 'valkey-io/valkey' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@main + - name: Download and extract the Coverity Build Tool + run: | + wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=${{ secrets.COVERITY_SCAN_TOKEN }}&project=valkey-io%2Fvalkey" -O cov-analysis-linux64.tar.gz + mkdir cov-analysis-linux64 + tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64 + - name: Install Valkey dependencies + run: sudo apt install -y gcc procps libssl-dev + - name: Build with cov-build + run: cov-analysis-linux64/bin/cov-build --dir cov-int make + - name: Upload the result + run: | + tar czvf cov-int.tgz cov-int + curl \ + --form email=${{ secrets.COVERITY_SCAN_EMAIL }} \ + --form token=${{ secrets.COVERITY_SCAN_TOKEN }} \ + --form file=@cov-int.tgz \ + https://scan.coverity.com/builds?project=valkey-io%2Fvalkey diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index 72b472a9e..8724d507b 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -28,6 +28,8 @@ on: description: 'git branch or sha to use' default: 'unstable' +permissions: + contents: read jobs: diff --git a/.github/workflows/external.yml b/.github/workflows/external.yml index a18cf0908..8111c5e6c 100644 --- a/.github/workflows/external.yml +++ b/.github/workflows/external.yml @@ -6,6 +6,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: test-external-standalone: runs-on: ubuntu-latest @@ -29,7 +32,7 @@ jobs: if: ${{ failure() }} uses: actions/upload-artifact@v3 with: - name: test-external-server-log + name: test-external-standalone-log path: external-server.log test-external-cluster: @@ -81,5 +84,5 @@ jobs: if: ${{ failure() }} uses: actions/upload-artifact@v3 with: - name: test-external-server-log - path: external-server.log \ No newline at end of file + name: test-external-nodebug-log + path: external-server.log diff --git a/.github/workflows/reply-schemas-linter.yml b/.github/workflows/reply-schemas-linter.yml index 13fc8ab88..f48aa4e48 100644 --- a/.github/workflows/reply-schemas-linter.yml +++ b/.github/workflows/reply-schemas-linter.yml @@ -8,6 +8,9 @@ on: paths: - 'src/commands/*.json' +permissions: + contents: read + jobs: reply-schemas-linter: runs-on: ubuntu-latest diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml index 533607412..b93909798 100644 --- a/.github/workflows/spell-check.yml +++ b/.github/workflows/spell-check.yml @@ -9,6 +9,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: build: name: Spellcheck