Merge pull request #6000 from netomi/security-improvements-workflows

Apply various security improvements to GitHub workflows

Author: netomi

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/claim-namespace.yml

@@ -1,4 +1,8 @@
 name: Claim Namespace
+
+# The workflow is compromised as people can claim namespaces even though the claim is invalid.
+# Disable it for now to avoid further damage.
+
 on:
   # alibi value to not show the workflow as broken
   workflow_dispatch:
@@ -17,7 +21,7 @@ jobs:
     steps:
       - id: get_namespace
         name: Get namespace name
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             let namespace = context.payload.issue.title.substring('Claiming namespace'.length);
@@ -41,17 +45,19 @@ jobs:
             }
       - id: log_namespace
         name: Log namespace name
-        run: echo '${{steps.get_namespace.outputs.namespace}}'
+        run: echo '${NAMESPACE}'
+        env:
+          NAMESPACE: ${{steps.get_namespace.outputs.namespace}}
       - id: api_get_namespace
         name: Namespace API request
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/api/${{steps.get_namespace.outputs.namespace}}
           configuration: '{ "method": "GET" }'
       - id: namespace_not_found_should_close
         if: ${{ failure() && steps.get_namespace.outputs.namespace != null }}
         name: Check issue is still open before editing issue
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         with:
           route: GET /repos/{repo}/issues/{issue_number}
           repo: ${{ github.repository }}
@@ -71,20 +77,20 @@ jobs:
           ASSIGNEE: tfroment
       - id: api_get_namespace_members
         name: Namespace members API request
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/admin/api/namespace/${{steps.get_namespace.outputs.namespace}}/members?token=${{secrets.OPENVSX_TOKEN}}
           configuration: '{ "method": "GET" }'
       - id: namespace_members
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         env:
           DATA: ${{ steps.api_get_namespace_members.outputs.fetchApiData }}
         with:
           script: |
             const json = JSON.parse(process.env.DATA);
             core.setOutput('members', JSON.stringify(json.namespaceMemberships));
       - id: make_owner
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         env:
           MEMBERS: ${{ steps.namespace_members.outputs.members }}
           LOGIN_NAME: ${{ github.event.issue.user.login }}
@@ -96,7 +102,7 @@ jobs:
       - id: should_change_member
         if: ${{ steps.make_owner.outputs.makeOwner == 'true' }}
         name: Check issue is still open before changing namespace membership
-        uses: octokit/request-action@v2.x
+        uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
         with:
           route: GET /repos/{repo}/issues/{issue_number}
           repo: ${{ github.repository }}
@@ -106,7 +112,7 @@ jobs:
       - id: change_member
         name: Namespace change member API request
         if: ${{ steps.make_owner.outputs.makeOwner == 'true' && fromJSON(steps.should_change_member.outputs.data).state == 'open' }}
-        uses: JamesIves/fetch-api-data-action@v2
+        uses: JamesIves/fetch-api-data-action@e9b926da66aea24f5e628e11f36dfbab75dd7b0a # v2.4.2
         with:
           endpoint: https://open-vsx.org/admin/api/namespace/${{steps.get_namespace.outputs.namespace}}/change-member?user=${{github.event.issue.user.login}}&provider=github&role=owner&token=${{secrets.OPENVSX_TOKEN}}
           configuration: '{ "method": "POST" }'

.github/workflows/main.yml

@@ -17,7 +17,7 @@ jobs:
         run: echo ${{ github.event.number }} > PR_NUMBER.txt
       - name: Archive PR number
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: PR_NUMBER
           path: PR_NUMBER.txt

.github/workflows/smoketest.yml

@@ -10,14 +10,16 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           path: open-vsx.org
-      - uses: actions/checkout@v4
+          persist-credentials: false
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           repository: eclipse/openvsx
           path: openvsx
-      - uses: actions/setup-node@v4
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 18.x
       - name: Install dependencies
@@ -36,7 +38,7 @@ jobs:
         run: sleep 10m
       - name: Get running server version
         id: running_version
-        uses: fjogeleit/http-request-action@v1
+        uses: fjogeleit/http-request-action@1297c6fc63a79b147d1676540a3fd9d2e37817c5 # v1.16.5
         with:
           url: "https://open-vsx.org/api/version"
           method: GET
@@ -48,15 +50,17 @@ jobs:
         if: steps.check_version.outputs.is_version == 'true'
         working-directory: ./openvsx/webui
         run: yarn smoke-tests
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: steps.check_version.outputs.is_version == 'true'
         with:
           name: playwright-report
           path: openvsx/webui/playwright-report/
           retention-days: 30
       - name: Fail smoke test
         if: steps.check_version.outputs.is_version != 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
+        env:
+          VERSION: ${{ steps.read_version.outputs.version }}
         with:
           script: |
-            core.setFailed('Deployed version is not ${{ steps.read_version.outputs.version }}')
+            core.setFailed(`Deployed version is not ${process.env.VERSION}`)

.github/workflows/sonar.yml

@@ -9,13 +9,13 @@ jobs:
     permissions:
       pull-requests: read
     runs-on: ubuntu-latest
-    if: github.event.workflow_run.conclusion == 'success'
+    if: github.repository == 'EclipseFdn/open-vsx.org' && github.event.workflow_run.conclusion == 'success'
     steps:
     - name: Create artifacts directory
       run: mkdir -p ${{ runner.temp }}/artifacts
     - name: Download PR number artifact
       if: github.event.workflow_run.event == 'pull_request'
-      uses: dawidd6/action-download-artifact@v6
+      uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
       with:
         workflow: Build
         run_id: ${{ github.event.workflow_run.id }}
@@ -24,37 +24,40 @@ jobs:
     - name: Read PR_NUMBER.txt
       if: github.event.workflow_run.event == 'pull_request'
       id: pr_number
-      uses: juliangruber/read-file-action@v1
+      uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58 # v1.1.7
       with:
         path: ${{ runner.temp }}/artifacts/PR_NUMBER.txt
     - name: Request GitHub API for PR data
       if: github.event.workflow_run.event == 'pull_request'
-      uses: octokit/request-action@v2.x
+      uses: octokit/request-action@dad4362715b7fb2ddedf9772c8670824af564f0d # v2.4.0
       id: get_pr_data
       with:
         route: GET /repos/{full_name}/pulls/{number}
         number: ${{ steps.pr_number.outputs.content }}
         full_name: ${{ github.event.repository.full_name }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
           fetch-depth: 0
+          persist-credentials: false
     - name: Checkout base branch
       if: github.event.workflow_run.event == 'pull_request'
       env:
         HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        CLONE_URL: ${{ github.event.repository.clone_url }}
+        BASE_REF: ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
       run: |
-        git remote add upstream ${{ github.event.repository.clone_url }}
+        git remote add upstream ${CLONE_URL}
         git fetch upstream
-        git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
-        git checkout $HEAD_BRANCH
+        git checkout -B ${BASE_REF} upstream/${BASE_REF}
+        git checkout ${HEAD_BRANCH}
         git clean -ffdx && git reset --hard HEAD
     - name: SonarCloud Scan on PR
       if: github.event.workflow_run.event == 'pull_request'
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@2f77a1ec69fb1d595b06f35ab27e97605bdef703 # v5.3.2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -66,7 +69,7 @@ jobs:
           -Dsonar.pullrequest.base=${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
     - name: SonarCloud Scan on push
       if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_repository.full_name == github.event.repository.full_name
-      uses: SonarSource/sonarqube-scan-action@master
+      uses: SonarSource/sonarqube-scan-action@2f77a1ec69fb1d595b06f35ab27e97605bdef703 # v5.3.2
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}