diff --git a/.github/workflows/ah_token_refresh.yml b/.github/workflows/ah_token_refresh.yml index ae9a504d..3ab66173 100644 --- a/.github/workflows/ah_token_refresh.yml +++ b/.github/workflows/ah_token_refresh.yml @@ -5,9 +5,10 @@ on: schedule: - cron: "0 12 1,15 * *" # run 12pm on the 1st and 15th of the month workflow_dispatch: +permissions: read-all jobs: refresh: - uses: ansible/ansible-content-actions/.github/workflows/refresh_ah_token.yaml@main + uses: ansible/ansible-content-actions/.github/workflows/refresh_ah_token.yaml@8d811a21e588dc6692299797e9a2bab1205365dc # main with: environment: release secrets: diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index b154026e..1050f4bc 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -6,15 +6,19 @@ on: push: branches: - main +permissions: read-all jobs: bandit-check: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.x' @@ -32,7 +36,7 @@ jobs: cat bandit-output.sarif - name: Upload Bandit scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4 with: sarif_file: "bandit-output.sarif" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7588f9c3..2cb6ed0e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -20,15 +20,19 @@ on: - .whitesource - .yamlfmt - .yamllint +permissions: read-all jobs: ansible-lint: name: ansible-lint runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python 3.11 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11 - name: Install ansible-lint @@ -36,7 +40,7 @@ jobs: - name: Run ansible-lint run: ansible-lint - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4 with: # Path to SARIF file relative to the root of the repository sarif_file: ansible_lint_result.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a72686ef..09fbfdad 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,9 +3,12 @@ name: Release the ansible collection to Ansible Galaxy and Ansible Automation Hu on: release: types: [published] +permissions: read-all jobs: release: - uses: ansible/team-devtools/.github/workflows/release_collection.yml@main + permissions: + contents: write + uses: ansible/team-devtools/.github/workflows/release_collection.yml@a7f2500fb428f217418c6c39c016319cd76df408 # main with: environment: release secrets: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9b0df212..b2d713bf 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -33,12 +33,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@v2.4.3 + uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -60,7 +60,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: SARIF file path: results.sarif @@ -69,6 +69,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0cf85d33..091ba8f0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,23 +12,26 @@ on: paths: - plugins/** - tests/** +permissions: read-all jobs: ansible-galaxy-importer: name: ansible-galaxy-importer runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: python-version: - "3.11" steps: - name: Checkout the repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build the collection run: | echo "> ansible-galaxy collection build --force" ansible-galaxy collection build --force - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} cache: "pip" @@ -48,7 +51,7 @@ jobs: exit 1 fi - name: Archive recent build - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: collection-build path: netscaler-adc-*.tar.gz @@ -56,6 +59,8 @@ jobs: sanity-test: name: Sanity test with Ansible ${{ matrix.ansible }} and Python ${{ matrix.python-version }} runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: ansible: @@ -66,9 +71,9 @@ jobs: - "3.11" steps: - name: Checkout the repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies @@ -108,6 +113,8 @@ jobs: Integration test with Ansible ${{ matrix.ansible }} and Python ${{ matrix.python-version }} against NetScaler ${{ matrix.netscaler-version }} runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: ansible: @@ -119,7 +126,7 @@ jobs: - 14.1-43.50 steps: - name: Checkout the repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Start NetScaler CPX container run: | # docker-compose -f "docker-compose.yml" up -d @@ -162,7 +169,7 @@ jobs: echo "> curl -kL http://$NETSCALER_NSIP/nitro/v1/config/nsip -u nsroot:$NETSCALER_NITRO_PASS" curl -kL http://$NETSCALER_NSIP/nitro/v1/config/nsip -u nsroot:$NETSCALER_NITRO_PASS - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index cca85ff8..cba26523 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -5,12 +5,16 @@ on: branches: - main pull_request: +permissions: read-all jobs: trivy-check: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 @@ -23,7 +27,7 @@ jobs: severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4 if: always() with: sarif_file: "trivy-results.sarif"