diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..6cc00712d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..534ad1335 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: "CodeQL Advanced" + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "29 8 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: "ubuntu-latest" + permissions: + security-events: write + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Initialize CodeQL + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 + with: + category: "/language:${{matrix.language}}" + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e94ab192a..ec30bf3c8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,9 @@ on: [pull_request, push] env: LATEST_OTP_RELEASE: 28 +permissions: + contents: read + jobs: linux: name: Test on OTP ${{ matrix.otp_version }} and ${{ matrix.os }} @@ -19,7 +22,9 @@ jobs: image: erlang:${{ matrix.otp_version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Compile run: ./bootstrap - name: CT tests @@ -36,7 +41,9 @@ jobs: runs-on: macos-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Brew Version Check run: brew --version - name: Brew Cleanup @@ -52,7 +59,7 @@ jobs: - name: Debug Brew run: brew doctor || true - name: Install Erlang - run: brew install erlang@${{ env.LATEST_OTP_RELEASE }} + run: 'brew install "erlang@${LATEST_OTP_RELEASE}"' - name: Compile run: ./bootstrap - name: CT tests @@ -63,7 +70,9 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Erlang run: choco install erlang - name: Compile diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 024ab7937..cd10c78ce 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,15 +5,20 @@ on: branches: - 'main' +permissions: + contents: read + jobs: build: name: Publish escript for every merge to main runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 with: otp-version: '26' - name: Compile @@ -22,7 +27,7 @@ jobs: run: ./rebar3 ct - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e7bc43b00..1ef46910f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,17 +6,24 @@ on: - '*' permissions: - contents: write + contents: read jobs: build: name: Create release and publish escript for every new tag runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + attestations: write + steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 with: otp-version: '26' - name: Compile @@ -24,31 +31,39 @@ jobs: - name: CT tests run: ./rebar3 ct + - name: Attest Build Provenance + id: attest + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-path: ./rebar3 + + - name: Copy Attestation Bundle + run: cp "${ATTESTATION}" rebar3.sigstore + env: + ATTESTATION: ${{ steps.attest.outputs.bundle-path }} + - name: Create Release - id: create_release - uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: ${{ github.ref }} - draft: false - prerelease: false - - - name: Upload Release Asset - id: upload-release-asset - uses: actions/upload-release-asset@v1 + GITHUB_TOKEN: ${{ github.token }} + run: | + gh release create \ + --repo "${GITHUB_REPOSITORY}" \ + --title "${GITHUB_REF_NAME}" \ + --generate-notes \ + "${GITHUB_REF_NAME}" + + - name: Upload Release Assets env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: ./rebar3 - asset_name: rebar3 - asset_content_type: application/octet-stream + GITHUB_TOKEN: ${{ github.token }} + run: | + gh release upload --clobber "${GITHUB_REF_NAME}" \ + --repo "${GITHUB_REPOSITORY}" \ + rebar3 \ + rebar3.sigstore - name: Configure AWS credentials if: "!github.event.release.prerelease" - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/shelltests.yml b/.github/workflows/shelltests.yml index 418326743..ab260f0b1 100644 --- a/.github/workflows/shelltests.yml +++ b/.github/workflows/shelltests.yml @@ -8,12 +8,17 @@ on: branches: - 'main' +permissions: + contents: read + jobs: shelltests: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: erlef/setup-beam@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 with: otp-version: '26.0' elixir-version: '1.14'