diff --git a/.github/workflows/README.md b/.github/workflows/README.md index aae6a073e4d8..f00442476c3b 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -1,4 +1,4 @@ -# Testing workflows +# Workflows +## Hardening + +Workflows are hardened using +[Step Security tool](https://app.stepsecurity.io/secureworkflow). Findings for +the "Harden Runner" steps are +[available online](https://app.stepsecurity.io/github/carbon-language/carbon-lang/actions/runs). + +### Allowed endpoints + +Most jobs only have a few endpoints, but due to tools which do downloads, a few +have significantly more. These are: + +- pre_commit.yaml (Bazel, pre-commit) +- nightly_release.yaml (Bazel) +- tests.yaml (Bazel) + +When updating one of these, consider updating all of them. + +We try to keep `allowed-endpoints` with one per line. Prettier wants to wrap +them, which we fix this with `prettier-ignore`. + +## Testing + We keep around an `action-test` branch in carbon-lang, which can be used to test triggers with `push:` configurations. For example: diff --git a/.github/workflows/assign_prs.yaml b/.github/workflows/auto_assign_prs.yaml similarity index 89% rename from .github/workflows/assign_prs.yaml rename to .github/workflows/auto_assign_prs.yaml index 12ff3e136117..0f79720e558f 100644 --- a/.github/workflows/assign_prs.yaml +++ b/.github/workflows/auto_assign_prs.yaml @@ -2,7 +2,7 @@ # Exceptions. See /LICENSE for license information. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -name: 'Auto Assign' +name: 'Auto assign PRs' on: pull_request_target: types: [opened, ready_for_review] @@ -15,9 +15,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 - id: filter uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/label_prs.yaml b/.github/workflows/auto_label_prs.yaml similarity index 94% rename from .github/workflows/label_prs.yaml rename to .github/workflows/auto_label_prs.yaml index 524a38a1b56c..4733b73ea1a2 100644 --- a/.github/workflows/label_prs.yaml +++ b/.github/workflows/auto_label_prs.yaml @@ -15,9 +15,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 - id: filter uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/discord_wiki.yaml b/.github/workflows/discord_wiki.yaml index 5b00e2bfd485..cf1d0794184a 100644 --- a/.github/workflows/discord_wiki.yaml +++ b/.github/workflows/discord_wiki.yaml @@ -2,18 +2,20 @@ # Exceptions. See /LICENSE for license information. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -name: Wiki Changed Discord Notification +name: Discord Wiki Change Notifications on: gollum -permissions: none +# Minimum permissions. +permissions: + contents: read jobs: notify: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit diff --git a/.github/workflows/nightly-release.yaml b/.github/workflows/nightly_release.yaml similarity index 84% rename from .github/workflows/nightly-release.yaml rename to .github/workflows/nightly_release.yaml index 27950b603886..71a7a96696cc 100644 --- a/.github/workflows/nightly-release.yaml +++ b/.github/workflows/nightly_release.yaml @@ -37,9 +37,23 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + egress-policy: block + # When adding endpoints, see README.md. + # prettier-ignore + allowed-endpoints: > + *.dl.sourceforge.net:443 + api.github.com:443 + bcr.bazel.build:443 + downloads.sourceforge.net:443 + github.com:443 + oauth2.googleapis.com:443 + objects.githubusercontent.com:443 + releases.bazel.build:443 + sourceforge.net:443 + storage.googleapis.com:443 + uploads.github.com:443 - name: Checkout branch uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/pre_commit.yaml b/.github/workflows/pre_commit.yaml index 7f751d715cfe..59137c8e383f 100644 --- a/.github/workflows/pre_commit.yaml +++ b/.github/workflows/pre_commit.yaml @@ -18,9 +18,25 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # When adding endpoints, see README.md. + # prettier-ignore + allowed-endpoints: > + *.dl.sourceforge.net:443 + bcr.bazel.build:443 + downloads.sourceforge.net:443 + files.pythonhosted.org:443 + github.com:443 + mirror.bazel.build:443 + nodejs.org:443 + objects.githubusercontent.com:443 + pypi.org:443 + registry.npmjs.org:443 + releases.bazel.build:443 + sourceforge.net:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 diff --git a/.github/workflows/pre_commit_suggestions.yaml b/.github/workflows/pre_commit_suggestions.yaml index bcaa31cb7026..f93daed62ba4 100644 --- a/.github/workflows/pre_commit_suggestions.yaml +++ b/.github/workflows/pre_commit_suggestions.yaml @@ -33,9 +33,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 - uses: reviewdog/action-setup@3f401fe1d58fe77e10d665ab713057375e39b887 # v1.3.0 with: diff --git a/.github/workflows/proposal_labeled.yaml b/.github/workflows/proposal_labeled.yaml index 0e5b5ad46565..e4b2e6b02d93 100644 --- a/.github/workflows/proposal_labeled.yaml +++ b/.github/workflows/proposal_labeled.yaml @@ -27,9 +27,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 - name: draft if: | diff --git a/.github/workflows/proposal_ready.yaml b/.github/workflows/proposal_ready.yaml index f54edf8a5484..70067b87bf87 100644 --- a/.github/workflows/proposal_ready.yaml +++ b/.github/workflows/proposal_ready.yaml @@ -19,9 +19,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 - name: rfc run: | diff --git a/.github/workflows/sync_repos.yaml b/.github/workflows/sync_repos.yaml index 30e28070e3ce..8feb61abf4e9 100644 --- a/.github/workflows/sync_repos.yaml +++ b/.github/workflows/sync_repos.yaml @@ -2,7 +2,7 @@ # Exceptions. See /LICENSE for license information. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -name: sync-repos +name: Sync repos on: push: @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 48080f053b1a..ffd8f3ba3012 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -2,7 +2,7 @@ # Exceptions. See /LICENSE for license information. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -name: test +name: Tests on: push: @@ -39,9 +39,25 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + egress-policy: block + # When adding endpoints, see README.md. + # prettier-ignore + allowed-endpoints: > + *.dl.sourceforge.net:443 + api.github.com:443 + bcr.bazel.build:443 + downloads.sourceforge.net:443 + github.com:443 + mirrors.kernel.org:443 + nodejs.org:443 + oauth2.googleapis.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + releases.bazel.build:443 + sourceforge.net:443 + storage.googleapis.com:443 # Checkout the pull request head or the branch. - name: Checkout pull request diff --git a/.github/workflows/stale.yaml b/.github/workflows/triage_inactive.yaml similarity index 90% rename from .github/workflows/stale.yaml rename to .github/workflows/triage_inactive.yaml index 7b174ae7b235..02da7be2d7d7 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/triage_inactive.yaml @@ -16,9 +16,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + # prettier-ignore + allowed-endpoints: > + api.github.com:443 - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: diff --git a/docs/project/code_review.md b/docs/project/code_review.md index 53afcafa2242..979586189f95 100644 --- a/docs/project/code_review.md +++ b/docs/project/code_review.md @@ -85,11 +85,11 @@ In Carbon, developers will focus on particular areas, loosely broken down as: - We split out auto-assignment by explorer, toolchain, and other files (including documentation). -[Auto-assignment](/.github/workflows/assign_prs.yaml) will help find owners, but -won't always be perfect -- developers may take a PR they weren't auto-assigned -in order to help review go quickly. Contributors can also request multiple -reviewers, but it can be daunting to get feedback from a large number of -reviewers, so we suggest keeping the number of reviewers reasonably small. +[Auto-assignment](/.github/workflows/auto_assign_prs.yaml) will help find +owners, but won't always be perfect -- developers may take a PR they weren't +auto-assigned in order to help review go quickly. Contributors can also request +multiple reviewers, but it can be daunting to get feedback from a large number +of reviewers, so we suggest keeping the number of reviewers reasonably small. Any reviews that explicitly request changes should be addressed, either with the changes or an explanation of why not, before a pull request is merged. Further, diff --git a/proposals/p1367.md b/proposals/p1367.md index 02c8af9cb730..3c3d03606efa 100644 --- a/proposals/p1367.md +++ b/proposals/p1367.md @@ -110,7 +110,7 @@ group access controls are the last word on who can commit PRs. ### Auto-assignment -This PR [introduces auto-assignment](/.github/workflows/assign_prs.yaml) in +This PR [introduces auto-assignment](/.github/workflows/auto_assign_prs.yaml) in order to ensure PRs aren't lost. It provides categories of assignment, and a fallback for other PRs that don't have explicit assignment.