diff --git a/.github/workflows/build_and_release_gem.yml b/.github/workflows/build_and_release_gem.yml index 03e08a2..b503c50 100644 --- a/.github/workflows/build_and_release_gem.yml +++ b/.github/workflows/build_and_release_gem.yml @@ -6,6 +6,9 @@ name: Ruby Gem to RubyGems on: workflow_dispatch: +permissions: + contents: read + jobs: # act -j publish_to_ruby_gem --container-architecture linux/arm64 --secret-file act.secrets publish_to_ruby_gem: @@ -20,12 +23,12 @@ jobs: apm_ruby_version: ${{ steps.build.outputs.gem_version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Ruby 3.3 and bundle - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1 with: ruby-version: '3.3' bundler-cache: true @@ -36,7 +39,7 @@ jobs: echo "gem_version=`ruby -e 'require "./lib/solarwinds_apm/version"; puts SolarWindsAPM::Version::STRING'`" >> $GITHUB_OUTPUT - name: Build and publish gem using trusted publishing - uses: rubygems/release-gem@v1 + uses: rubygems/release-gem@f0d7faff26625599a847d40d9fa28ace24c2aacc # v1 - name: Calculate checksum id: checksum_step @@ -66,7 +69,7 @@ jobs: exit 1 - name: Create release draft that includes the checksum - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: github-token: ${{secrets.GITHUB_TOKEN}} script: | @@ -80,7 +83,7 @@ jobs: }) - name: Upload to artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem path: solarwinds_apm-${{ steps.build.outputs.gem_version }}.gem @@ -103,10 +106,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: extract layer zip from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem path: ./ @@ -115,7 +118,7 @@ jobs: - name: Scan build artifact on the Portal id: rl-scan - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1 with: artifact-to-scan: ./solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem rl-verbose: true diff --git a/.github/workflows/build_for_github_package.yml b/.github/workflows/build_for_github_package.yml index d40dabb..811afd0 100644 --- a/.github/workflows/build_for_github_package.yml +++ b/.github/workflows/build_for_github_package.yml @@ -6,6 +6,10 @@ name: Ruby Gem to Github Package on: workflow_dispatch: +permissions: + contents: read + packages: write + jobs: publish_to_github_package: name: Build + Publish to Github Package @@ -15,10 +19,10 @@ jobs: apm_ruby_version: ${{ steps.version.outputs.gem_version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Ruby 3.1 and bundle - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1 with: ruby-version: 3.1 @@ -48,7 +52,7 @@ jobs: GITHUB_SECRET_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload to artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem path: pkg/solarwinds_apm-${{ steps.version.outputs.gem_version }}.gem @@ -60,10 +64,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: extract layer zip from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem path: pkg @@ -72,7 +76,7 @@ jobs: - name: Scan build artifact on the Portal id: rl-scan - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1 with: artifact-to-scan: pkg/solarwinds_apm-${{ env.SOLARWINDS_APM_VERSION }}.gem rl-verbose: true diff --git a/.github/workflows/build_publish_lambda_layer.yml b/.github/workflows/build_publish_lambda_layer.yml index eb95aa3..567e84e 100644 --- a/.github/workflows/build_publish_lambda_layer.yml +++ b/.github/workflows/build_publish_lambda_layer.yml @@ -46,7 +46,7 @@ jobs: runs-on: ${{ matrix.arch == 'arm64' && fromJSON('{"group":"apm-arm-runner"}') || 'ubuntu-latest' }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build ruby lambda layer on ${{ matrix.arch }} run: | @@ -67,7 +67,7 @@ jobs: working-directory: lambda/ - name: Upload to artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: ruby-layer-${{ matrix.arch }}.zip path: lambda/build/ruby-layer-${{ matrix.arch }}.zip @@ -89,10 +89,10 @@ jobs: apm_ruby_version: ${{ steps.version.outputs.SOLARWINDS_APM_VERSION }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: extract layer zip from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ruby-layer-${{ matrix.arch }}.zip path: lambda @@ -117,7 +117,7 @@ jobs: env: RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }} - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1 with: artifact-to-scan: ./lambda/ruby-layer-${{ matrix.arch }}.zip rl-verbose: true @@ -163,16 +163,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: configure AWS ${{ inputs.publish-dest }} credential - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6 with: role-to-assume: ${{ inputs.publish-dest == 'production' && secrets.LAMBDA_PUBLISHER_ARN_PROD || inputs.publish-dest == 'staging' && secrets.LAMBDA_PUBLISHER_ARN_STAGING }} aws-region: ${{ matrix.aws_region }} - name: extract layer zip from artifacts - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: ruby-layer-${{ matrix.arch }}.zip path: lambda diff --git a/.github/workflows/ci-markdown-link.yml b/.github/workflows/ci-markdown-link.yml index b12b11f..ef8253e 100644 --- a/.github/workflows/ci-markdown-link.yml +++ b/.github/workflows/ci-markdown-link.yml @@ -3,15 +3,19 @@ name: Markdown Link Check on: pull_request: +permissions: + contents: read + pull-requests: write + jobs: markdown-link-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # equivalent cli: linkspector check - name: Run linkspector - uses: umbrelladocs/action-linkspector@v1 + uses: umbrelladocs/action-linkspector@963b6264d7de32c904942a70b488d3407453049e # v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} reporter: github-pr-review diff --git a/.github/workflows/ci-markdownlint.yml b/.github/workflows/ci-markdownlint.yml index fa5bc73..7b45e8a 100644 --- a/.github/workflows/ci-markdownlint.yml +++ b/.github/workflows/ci-markdownlint.yml @@ -3,15 +3,18 @@ name: Markdown Lint Check on: pull_request: +permissions: + contents: read + jobs: markdownlint-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # equivalent cli: markdownlint-cli2 "**/*.md" "#lambda/.aws-sam/**" "#.github/pull_request_template.md" "#.github/ISSUE_TEMPLATE/bug-or-feature-request.md" "#.github/instructions/**" --config .markdownlint.json - name: "Markdown Lint Check" - uses: DavidAnson/markdownlint-cli2-action@v23 + uses: DavidAnson/markdownlint-cli2-action@ded1f9488f68a970bc66ea5619e13e9b52e601cd # v23 with: fix: false globs: | diff --git a/.github/workflows/ci-reverse-lab.yml b/.github/workflows/ci-reverse-lab.yml index 864ad95..0b2f198 100644 --- a/.github/workflows/ci-reverse-lab.yml +++ b/.github/workflows/ci-reverse-lab.yml @@ -6,16 +6,19 @@ name: CI Reverse Lab Scan on: workflow_dispatch: +permissions: + contents: read + jobs: # act -j ci-reverse-lab-scan --container-architecture linux/arm64 ci-reverse-lab-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Ruby 3.1 and bundle - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1 with: ruby-version: 3.1 @@ -44,7 +47,7 @@ jobs: env: RLPORTAL_ACCESS_TOKEN: ${{ secrets.REVERSE_LAB_TOKEN }} - uses: reversinglabs/gh-action-rl-scanner-cloud-only@v1 + uses: reversinglabs/gh-action-rl-scanner-cloud-only@b61135055814f4da482de188fafe6c5d614f87a8 # v1 with: artifact-to-scan: ${{ steps.build-apm-ruby-ci-reverse-lab.outputs.current_gem }} rl-verbose: true diff --git a/.github/workflows/codeql_analysis.yml b/.github/workflows/codeql_analysis.yml index 821b8ba..d945690 100644 --- a/.github/workflows/codeql_analysis.yml +++ b/.github/workflows/codeql_analysis.yml @@ -16,6 +16,9 @@ on: branches: [ "main" ] workflow_dispatch: +permissions: + contents: read + jobs: analyze: name: Analyze @@ -33,18 +36,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 with: languages: ${{ matrix.language }} queries: security-extended,security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/rubocop-analysis.yml b/.github/workflows/rubocop-analysis.yml index b80c474..e068e14 100644 --- a/.github/workflows/rubocop-analysis.yml +++ b/.github/workflows/rubocop-analysis.yml @@ -13,18 +13,20 @@ on: branches: [ "main" ] workflow_dispatch: +permissions: + contents: read + security-events: write + jobs: rubocop: runs-on: ubuntu-latest - strategy: - fail-fast: false steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1 with: ruby-version: '3.1.0' @@ -42,6 +44,6 @@ jobs: " - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 with: sarif_file: rubocop.sarif diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml index ae7b3b3..4dd2f03 100644 --- a/.github/workflows/run_unit_tests.yml +++ b/.github/workflows/run_unit_tests.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: # run act to test locally: act -j unit_test --container-architecture linux/arm64 -s SW_APM_SERVICE_KEY=your_key unit_test: @@ -53,7 +56,7 @@ jobs: steps: - name: Checkout ${{ github.ref }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: print some info run: | @@ -72,7 +75,7 @@ jobs: test/test_setup.sh - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6 with: token: ${{ secrets.CODECOV_TOKEN }} files: coverage/coverage.xml diff --git a/.github/workflows/verify_install.yml b/.github/workflows/verify_install.yml index f51cb84..4d5de78 100644 --- a/.github/workflows/verify_install.yml +++ b/.github/workflows/verify_install.yml @@ -69,7 +69,7 @@ jobs: run: yum install -y tar gzip - name: Checkout ${{ github.ref }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Verify install working-directory: .github/workflows/scripts @@ -96,7 +96,7 @@ jobs: steps: - name: Checkout ${{ github.ref }} - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup id: setup @@ -107,7 +107,7 @@ jobs: echo "cache_key=mri" >> $GITHUB_OUTPUT - name: Setup Ruby - uses: ruby/setup-ruby@v1.215.0 + uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0 with: ruby-version: ${{ matrix.ruby-version }} working-directory: "${{ steps.setup.outputs.gem_dir }}"