Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[StepSecurity] ci: Harden GitHub Actions #169

Merged
merged 2 commits into from
Dec 18, 2024
Merged

[StepSecurity] ci: Harden GitHub Actions #169

merged 2 commits into from
Dec 18, 2024

Conversation

step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Dec 18, 2024
edited by coderabbitai bot
Loading

Summary

This pull request is created by StepSecurity at the request of @DefinetlyNotAI. Please merge the Pull Request to incorporate the requested changes. Please tag @DefinetlyNotAI on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

Summary by CodeRabbit

  • New Features

    • Added a "Harden Runner" step to enhance security in multiple workflows.

  • Updates

    • Updated action versions for building and running fuzzers to specific commit hashes for improved stability across workflows.

@pull-request-size pull-request-size bot added the size/S Small size pr label Dec 18, 2024
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Dec 18, 2024
edited
Loading

Walkthrough

The pull request focuses on updating GitHub Actions workflows for ClusterFuzzLite across three files: cflite_batch.yml, cflite_build.yml, and cflite_cron.yml. The key changes include adding a new "Harden Runner" security step using step-security/harden-runner and pinning the fuzzer build and run actions to specific commit hashes instead of using version tags. This ensures more consistent and secure workflow execution.

Changes

File Changes
.github/workflows/cflite_batch.yml - Added "Harden Runner" step
- Updated build_fuzzers action to specific commit hash
- Updated run_fuzzers action to specific commit hash
.github/workflows/cflite_build.yml - Added "Harden Runner" step
- Updated build_fuzzers action to specific commit hash
.github/workflows/cflite_cron.yml - Added "Harden Runner" step
- Updated build_fuzzers action to specific commit hash
- Updated run_fuzzers action to specific commit hash

Possibly related PRs

Suggested labels

type/System, type/Development

Poem

🛡️ Workflows dancing, security tight
Runners hardened with all their might
Commit hashes locked in place
No more version tag's wild chase
ClusterFuzzLite, secure and bright! 🚀

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@DefinetlyNotAI DefinetlyNotAI self-assigned this Dec 18, 2024
@codeclimate CodeClimate
Copy link

codeclimate bot commented Dec 18, 2024

Code Climate has analyzed commit 5001931 and detected 0 issues on this pull request.

View more on Code Climate.

coderabbitai[bot]
coderabbitai bot reviewed Dec 18, 2024
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.github/workflows/cflite_build.yml (1)

22-25: Nice job adding the Harden Runner! 🛡️

Hey, adding this security step is super smart! It's like having a bouncer at a party - it keeps an eye on what's going in and out. Right now it's in "audit" mode, which means it's just watching and taking notes.

Quick tip: Once you're sure everything's working smoothly, you might want to switch from audit to block mode. It's like upgrading from a bouncer who just watches to one who actually stops suspicious stuff from happening!

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9089d66 and 69226ac.

📒 Files selected for processing (3)
  • .github/workflows/cflite_batch.yml (1 hunks)
  • .github/workflows/cflite_build.yml (1 hunks)
  • .github/workflows/cflite_cron.yml (1 hunks)
🔇 Additional comments (5)
.github/workflows/cflite_build.yml (1)

29-29: Sweet move pinning that action version! 📌

You've locked the action to a specific commit (884713a6), which is like making sure you're always using the exact same version of your favorite game - no surprise updates!

Let me double-check that commit for you real quick.

✅ Verification successful

The commit seems to be a dependency update, which is a bit sus 🤔 Let me check if this action is used consistently across workflows and what version tag it corresponds to.

Yo, found that this action is used in three files! 🔍 Just need to make sure they're all using the same commit hash, cuz using different versions would be kinda messy ngl.

Yo, this action version update is totally legit! ✨

The commit hash (884713a) is used consistently in all three workflow files, and it's properly tagged as v1. Even though the commit is about some dependency update (nokogiri stuff), it's still part of the stable v1 release, so we're good!

  • .github/workflows/cflite_build.yml
  • .github/workflows/cflite_batch.yml
  • .github/workflows/cflite_cron.yml

All using the exact same version - that's some clean consistency right there! 👌

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the commit exists and check its content
gh api repos/google/clusterfuzzlite/commits/884713a6c30a92e5e8544c39945cd7cb630abcd1 --jq '.commit.message'

Length of output: 710

Script:

#!/bin/bash
# Let's check if this action is used in other workflow files and verify the commit hash
fd -e yml -e yaml . .github/workflows/ --exec grep -l "google/clusterfuzzlite/actions/build_fuzzers"

# Let's also check what version this commit corresponds to in the repo
gh api repos/google/clusterfuzzlite/tags --jq '.[].name' | grep "v1"

Length of output: 276

Script:

#!/bin/bash
# Let's check if the commit hash is consistent across all workflow files
echo "=== cflite_batch.yml ==="
grep -A 1 "google/clusterfuzzlite/actions/build_fuzzers" .github/workflows/cflite_batch.yml

echo -e "\n=== cflite_cron.yml ==="
grep -A 1 "google/clusterfuzzlite/actions/build_fuzzers" .github/workflows/cflite_cron.yml

Length of output: 534

.github/workflows/cflite_cron.yml (3)

10-14: Looking good! Consistency is key! 🔄

You've added the same Harden Runner setup here as in the other files - that's like using the same password strength rules everywhere. Smart move!

17-17: Perfect match with other files! 🎯

You're using the same exact version of the build fuzzers action here - that's consistency goals right there!

22-22: Locked and loaded! 🔒

You've pinned the run_fuzzers action to the same commit hash - that's like making sure all your game mods are from the same version. Super important for keeping things stable!

Pro tip: Keep an eye on the ClusterFuzzLite releases for any security updates you might want to grab later!

.github/workflows/cflite_batch.yml (1)

18-21: Triple combo achievement unlocked! 🏆

You've nailed it! All three files now have:

  • The same Harden Runner setup
  • The same version pins for all actions
  • The same security improvements

It's like having matching armor sets in a game - everything works together perfectly!

Also applies to: 25-25, 31-31

@DefinetlyNotAI DefinetlyNotAI added the type/Github Actions Pull requests that update GitHub Actions code label Dec 18, 2024
@DefinetlyNotAI DefinetlyNotAI merged commit 3e9287e into DefinetlyNotAI:main Dec 18, 2024
9 checks passed
This was referenced Dec 18, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DefinetlyNotAI DefinetlyNotAI DefinetlyNotAI approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

@DefinetlyNotAI DefinetlyNotAI

Labels
size/S Small size pr type/Github Actions Pull requests that update GitHub Actions code
Projects
Issue Board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@step-security-bot @DefinetlyNotAI