From 26f4caa0f9867ca05a3d8b82b91f85205914a28b Mon Sep 17 00:00:00 2001 From: Andrey Tataranovich Date: Fri, 20 Dec 2024 17:45:11 +0300 Subject: [PATCH] fix: hardening for CI runners (#139) * fix: allow all subdomains for githubusercontent.com --- .github/workflows/generic_docker_pr.yml | 2 +- .github/workflows/generic_docker_release.yml | 8 ++++---- .github/workflows/java_dependency_review.yml | 4 ++-- .github/workflows/java_pr.yml | 4 ++-- .github/workflows/java_release.yml | 10 +++++----- .github/workflows/java_test.yml | 4 ++-- .github/workflows/node_pr.yml | 2 +- .github/workflows/node_release.yml | 10 +++++----- .github/workflows/node_test.yml | 6 +++--- .github/workflows/python_docker_pr.yml | 2 +- .github/workflows/python_docker_release.yml | 8 ++++---- .github/workflows/python_docker_test.yml | 4 ++-- .github/workflows/python_package_pr.yml | 2 +- .github/workflows/python_package_release.yml | 8 ++++---- .github/workflows/python_package_test.yml | 4 ++-- 15 files changed, 39 insertions(+), 39 deletions(-) diff --git a/.github/workflows/generic_docker_pr.yml b/.github/workflows/generic_docker_pr.yml index 9ad147e..72985cb 100644 --- a/.github/workflows/generic_docker_pr.yml +++ b/.github/workflows/generic_docker_pr.yml @@ -56,7 +56,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: image_name: ghcr.io/${{ env.IMAGE_NAME }} image_tag: test diff --git a/.github/workflows/generic_docker_release.yml b/.github/workflows/generic_docker_release.yml index 1f1129d..614ec8f 100644 --- a/.github/workflows/generic_docker_release.yml +++ b/.github/workflows/generic_docker_release.yml @@ -65,7 +65,7 @@ jobs: is_latest: ${{ steps.semantic_versioning.outputs.is_latest }} latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }} steps: - - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.1 + - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.2 id: semantic_versioning release: @@ -78,14 +78,14 @@ jobs: - calculate_version - test steps: - - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.1 + - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.2 with: latest_tag: ${{ needs.calculate_version.outputs.latest_tag }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true token: ${{ secrets.ACTIONS_BOT_TOKEN }} - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }} @@ -102,7 +102,7 @@ jobs: ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}} ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}} ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}} - - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.1 + - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.2 with: tag_version: ${{ needs.calculate_version.outputs.next_version }} changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify diff --git a/.github/workflows/java_dependency_review.yml b/.github/workflows/java_dependency_review.yml index a944d4e..73b112a 100644 --- a/.github/workflows/java_dependency_review.yml +++ b/.github/workflows/java_dependency_review.yml @@ -35,7 +35,7 @@ jobs: api.github.com:443 api.securityscorecards.dev:443 github.com:443 - github-cloud.githubusercontent.com:443 + *.githubusercontent.com:443 *.gradle.org:443 repo.maven.apache.org:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -43,7 +43,7 @@ jobs: lfs: true persist-credentials: false ref: ${{ github.event.pull_request.head.sha }} - - uses: epam/ai-dial-ci/actions/java_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/java_prepare@1.10.2 with: java_version: ${{ inputs.java_version }} java_distribution: ${{ inputs.java_distribution }} diff --git a/.github/workflows/java_pr.yml b/.github/workflows/java_pr.yml index 42a0cf2..4cfb058 100644 --- a/.github/workflows/java_pr.yml +++ b/.github/workflows/java_pr.yml @@ -76,7 +76,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/java_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/java_prepare@1.10.2 with: java_version: ${{ inputs.java_version }} java_distribution: ${{ inputs.java_distribution }} @@ -88,7 +88,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: image_name: ghcr.io/${{ env.IMAGE_NAME }} image_tag: test diff --git a/.github/workflows/java_release.yml b/.github/workflows/java_release.yml index 8798994..f6e3c57 100644 --- a/.github/workflows/java_release.yml +++ b/.github/workflows/java_release.yml @@ -77,7 +77,7 @@ jobs: is_latest: ${{ steps.semantic_versioning.outputs.is_latest }} latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }} steps: - - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.1 + - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.2 id: semantic_versioning release: @@ -90,14 +90,14 @@ jobs: - calculate_version - test steps: - - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.1 + - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.2 with: latest_tag: ${{ needs.calculate_version.outputs.latest_tag }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true token: ${{ secrets.ACTIONS_BOT_TOKEN }} - - uses: epam/ai-dial-ci/actions/java_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/java_prepare@1.10.2 with: java_version: ${{ inputs.java_version }} java_distribution: ${{ inputs.java_distribution }} @@ -105,7 +105,7 @@ jobs: shell: bash run: | sed -i -E "s/^([ \t]*version[ \t]*=[ \t]*)[\"'].*[\"']/\1\"${{ needs.calculate_version.outputs.next_version }}\"/g" build.gradle - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }} @@ -123,7 +123,7 @@ jobs: ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}} ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}} - uses: gradle/actions/dependency-submission@cc4fc85e6b35bafd578d5ffbc76a5518407e1af0 # v4.2.1 - - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.1 + - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.2 with: tag_version: ${{ needs.calculate_version.outputs.next_version }} changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify diff --git a/.github/workflows/java_test.yml b/.github/workflows/java_test.yml index 49b7341..96307a5 100644 --- a/.github/workflows/java_test.yml +++ b/.github/workflows/java_test.yml @@ -52,7 +52,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/java_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/java_prepare@1.10.2 with: java_version: ${{ inputs.java_version }} java_distribution: ${{ inputs.java_distribution }} @@ -69,7 +69,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/java_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/java_prepare@1.10.2 with: java_version: ${{ inputs.java_version }} java_distribution: ${{ inputs.java_distribution }} diff --git a/.github/workflows/node_pr.yml b/.github/workflows/node_pr.yml index 78cdd16..8078636 100644 --- a/.github/workflows/node_pr.yml +++ b/.github/workflows/node_pr.yml @@ -81,7 +81,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: image_name: ghcr.io/${{ env.IMAGE_NAME }} image_tag: test diff --git a/.github/workflows/node_release.yml b/.github/workflows/node_release.yml index 0f499cb..d84ec38 100644 --- a/.github/workflows/node_release.yml +++ b/.github/workflows/node_release.yml @@ -86,7 +86,7 @@ jobs: is_latest: ${{ steps.semantic_versioning.outputs.is_latest }} latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }} steps: - - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.1 + - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.2 id: semantic_versioning release: @@ -99,14 +99,14 @@ jobs: - calculate_version - test steps: - - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.1 + - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.2 with: latest_tag: ${{ needs.calculate_version.outputs.latest_tag }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true token: ${{ secrets.ACTIONS_BOT_TOKEN }} - - uses: epam/ai-dial-ci/actions/node_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/node_prepare@1.10.2 with: node_version: ${{ inputs.node_version }} clean_install: true @@ -115,7 +115,7 @@ jobs: shell: bash run: | npm version ${{ needs.calculate_version.outputs.next_version }} --no-git-tag-version || true # upstream branch may already be updated - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }} @@ -155,7 +155,7 @@ jobs: IS_LATEST: ${{ needs.calculate_version.outputs.is_latest == 'true' }} IS_DEVELOPMENT_BRANCH: ${{ github.ref == 'refs/heads/development' }} IS_RELEASE_BRANCH: ${{ startsWith(github.ref, 'refs/heads/release-') }} - - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.1 + - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.2 with: tag_version: ${{ needs.calculate_version.outputs.next_version }} changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify diff --git a/.github/workflows/node_test.yml b/.github/workflows/node_test.yml index 839ed28..6d29342 100644 --- a/.github/workflows/node_test.yml +++ b/.github/workflows/node_test.yml @@ -56,7 +56,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/node_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/node_prepare@1.10.2 with: node_version: ${{ inputs.node_version }} clean_install: "true" @@ -73,7 +73,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/node_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/node_prepare@1.10.2 with: node_version: ${{ inputs.node_version }} clean_install: "true" @@ -90,7 +90,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/node_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/node_prepare@1.10.2 with: node_version: ${{ inputs.node_version }} clean_install: "true" diff --git a/.github/workflows/python_docker_pr.yml b/.github/workflows/python_docker_pr.yml index e5dda58..5000645 100644 --- a/.github/workflows/python_docker_pr.yml +++ b/.github/workflows/python_docker_pr.yml @@ -71,7 +71,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: image_name: ghcr.io/${{ env.IMAGE_NAME }} image_tag: test diff --git a/.github/workflows/python_docker_release.yml b/.github/workflows/python_docker_release.yml index 6d3d920..a3ae68c 100644 --- a/.github/workflows/python_docker_release.yml +++ b/.github/workflows/python_docker_release.yml @@ -73,7 +73,7 @@ jobs: is_latest: ${{ steps.semantic_versioning.outputs.is_latest }} latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }} steps: - - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.1 + - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.2 id: semantic_versioning release: @@ -86,7 +86,7 @@ jobs: - calculate_version - test steps: - - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.1 + - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.2 with: latest_tag: ${{ needs.calculate_version.outputs.latest_tag }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -97,7 +97,7 @@ jobs: shell: bash run: | sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.non_semver_next_version }}\"/g" pyproject.toml - - uses: epam/ai-dial-ci/actions/build_docker@1.10.1 + - uses: epam/ai-dial-ci/actions/build_docker@1.10.2 with: ghcr_username: ${{ github.actor }} ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }} @@ -114,7 +114,7 @@ jobs: ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}} ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}} ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}} - - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.1 + - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.2 with: tag_version: ${{ needs.calculate_version.outputs.next_version }} changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify diff --git a/.github/workflows/python_docker_test.yml b/.github/workflows/python_docker_test.yml index 268eb1f..57214f5 100644 --- a/.github/workflows/python_docker_test.yml +++ b/.github/workflows/python_docker_test.yml @@ -48,7 +48,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ inputs.python_version }} - name: Test @@ -64,7 +64,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ inputs.python_version }} - name: Test diff --git a/.github/workflows/python_package_pr.yml b/.github/workflows/python_package_pr.yml index 102c281..2e85b04 100644 --- a/.github/workflows/python_package_pr.yml +++ b/.github/workflows/python_package_pr.yml @@ -78,7 +78,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ inputs.python_version }} - run: make build diff --git a/.github/workflows/python_package_release.yml b/.github/workflows/python_package_release.yml index 2e065d9..3d7b7e7 100644 --- a/.github/workflows/python_package_release.yml +++ b/.github/workflows/python_package_release.yml @@ -75,7 +75,7 @@ jobs: non_semver_next_version: ${{ steps.semantic_versioning.outputs.non_semver_next_version }} latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }} steps: - - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.1 + - uses: epam/ai-dial-ci/actions/semantic_versioning@1.10.2 id: semantic_versioning release: @@ -88,14 +88,14 @@ jobs: - calculate_version - test steps: - - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.1 + - uses: epam/ai-dial-ci/actions/generate_release_notes@1.10.2 with: latest_tag: ${{ needs.calculate_version.outputs.latest_tag }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true token: ${{ secrets.ACTIONS_BOT_TOKEN }} - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ inputs.python_version }} - name: Set version @@ -109,7 +109,7 @@ jobs: make publish env: PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.1 + - uses: epam/ai-dial-ci/actions/publish_tag_release@1.10.2 with: tag_version: ${{ needs.calculate_version.outputs.non_semver_next_version }} changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify diff --git a/.github/workflows/python_package_test.yml b/.github/workflows/python_package_test.yml index 7d15343..b0da358 100644 --- a/.github/workflows/python_package_test.yml +++ b/.github/workflows/python_package_test.yml @@ -72,7 +72,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ inputs.python_version }} - name: Test @@ -92,7 +92,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: epam/ai-dial-ci/actions/python_prepare@1.10.1 + - uses: epam/ai-dial-ci/actions/python_prepare@1.10.2 with: python_version: ${{ matrix.python-version }} - name: Test