[StepSecurity] ci: Harden GitHub Actions

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @jaybuidl. Please merge the Pull Request to incorporate the requested changes. Please tag @jaybuidl on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

---

PR-Codex overview

This PR focuses on enhancing the GitHub Actions workflows for Dependabot and SonarCloud by adding permission settings and updating the action versions.

Detailed summary

• Added permissions section with contents: read for both .github/workflows/dependabot-automerge.yml and .github/workflows/sonarcloud.yml.
• Updated uses for step-security/harden-runner to version 91182cccc01eb5e619899d80e4e971d6181294a7.
• Updated uses for SonarSource/sonarcloud-github-action to version 9f9bba2c7aaf7a55eac26abbac906c3021d211b2.
• Specified egress-policy: audit in the Harden Runner step.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Chores
  • Updated permissions for Dependabot and SonarCloud workflows to enhance security and access controls.
  • Added a new step "Harden Runner" to the SonarCloud workflow for improved security.
  • Specified versions for actions in the SonarCloud workflow to ensure consistency and reliability.

[netlify]

‼️ Deploy request for kleros-v2-testnet rejected.

Name	Link
🔨 Latest commit	6e754ab

[netlify]

‼️ Deploy request for kleros-v2-testnet-devtools rejected.

Name	Link
🔨 Latest commit	6e754ab

[netlify]

‼️ Deploy request for kleros-v2-university rejected.

Name	Link
🔨 Latest commit	6e754ab

[netlify]

👷 Deploy request for kleros-v2-neo accepted.

Name	Link
🔨 Latest commit	6e754ab
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-neo/deploys/6729ec69a3b656000836ec9f

[coderabbitai]

Walkthrough

The pull request introduces modifications to two GitHub Actions workflow files: .github/workflows/dependabot-automerge.yml and .github/workflows/sonarcloud.yml. The changes include the addition of a permissions section to both workflows, enhancing access controls for various actions. In the dependabot-automerge workflow, permissions for contents and pull requests are specified for the dependabot job. The sonarcloud workflow sees new permissions and the introduction of a "Harden Runner" step, along with updates to specific action versions, improving security and functionality.

Changes

File	Change Summary
.github/workflows/dependabot-automerge.yml	- Added permissions: contents: read - Updated job dependabot with permissions: contents: write, pull-requests: write
.github/workflows/sonarcloud.yml	- Added permissions at the top level - Updated job sonarcloud with permissions: contents: read, pull-requests: read - Added step Harden Runner - Updated actions/checkout from v3 to v3.6.0 - Updated SonarSource/sonarcloud-github-action from master to specific SHA 9f9bba2c7aaf7a55eac26abbac906c3021d211b2

Sequence Diagram(s)

sequenceDiagram
    participant D as Dependabot
    participant W as Workflow
    participant A as GitHub API

    D->>W: Trigger PR
    W->>A: Check permissions
    A-->>W: Permissions granted
    W->>A: Execute actions
    A-->>W: Actions completed

Loading

🐇 "In the land of code, where rabbits play,
New permissions sprout, brightening the day.
Dependabot hops with a joyful cheer,
SonarCloud's guard is now crystal clear.
With actions updated, we leap and bound,
In our coding burrow, joy does abound!" 🐇

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codeclimate]

Code Climate has analyzed commit 6e754ab and detected 0 issues on this pull request.

View more on Code Climate.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

.github/workflows/sonarcloud.yml (2)

21-24: Consider strengthening the egress policy.

While the Harden Runner implementation is good, the audit egress-policy only monitors network calls without blocking any suspicious activity. Consider switching to block mode after reviewing the audit logs to actively prevent potential security threats.

       with:
-         egress-policy: audit
+         egress-policy: block

---

26-26: Fix misleading comment in SonarCloud action version.

The version pinning to specific commits is excellent for security. However, the comment # master is misleading since we're using a specific commit hash.

-        uses: SonarSource/sonarcloud-github-action@9f9bba2c7aaf7a55eac26abbac906c3021d211b2 # master
+        uses: SonarSource/sonarcloud-github-action@9f9bba2c7aaf7a55eac26abbac906c3021d211b2 # v2.0.2

Also applies to: 31-31

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between c3599ac and 6e754ab.

📒 Files selected for processing (2)

• .github/workflows/dependabot-automerge.yml (1 hunks)
• .github/workflows/sonarcloud.yml (1 hunks)

🔇 Additional comments (6)

.github/workflows/sonarcloud.yml (3)

10-12: LGTM! Good security practice with least privilege permissions.

Setting explicit read-only permissions at the workflow level follows the principle of least privilege, which is a security best practice.

---

15-17: LGTM! Well-documented permissions with clear purpose.

Excellent job documenting the reason for each permission. The read-only access for both contents and pull-requests is appropriate for SonarCloud's scanning purposes.

---

31-34: Verify secure handling of tokens.

The workflow appropriately uses GitHub secrets for sensitive tokens. Let's verify there are no token exposures in the repository.

✅ Verification successful

Secure token handling confirmed with additional security measures in place

The workflow demonstrates secure practices for handling sensitive data:

• All sensitive tokens (GITHUB_TOKEN and SONAR_TOKEN) are properly stored as GitHub secrets
• Appropriate permission scoping is implemented with permissions block
• Security hardening is applied via step-security/harden-runner
• No hardcoded credentials or tokens found in the workflow files
• Uses pinned action versions for security

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for potential token exposures in workflow files
rg -g '*.yml' -g '*.yaml' -i '(token|secret|key|password).*[A-Za-z0-9/+]{40,}' .github/workflows/

Length of output: 99

---

Script:

#!/bin/bash
# Check for proper secret usage in workflow files
rg -g '*.yml' -g '*.yaml' '\${{.*secrets.*}}' .github/workflows/

# Check for any hardcoded tokens or credentials
rg -g '*.yml' -g '*.yaml' -i '(token|api[_-]?key|secret|password|credential)' .github/workflows/

# Examine the overall workflow configuration
cat .github/workflows/sonarcloud.yml

Length of output: 3688

.github/workflows/dependabot-automerge.yml (3)

Line range hint 12-14: LGTM! Job permissions are properly scoped.

The elevated write permissions are:

1. Well-documented with a reference link
2. Necessary for the auto-merge functionality
3. Properly restricted to Dependabot-only execution

---

Line range hint 17-23: LGTM! Harden Runner is well configured with strict security controls.

The configuration follows security best practices:

1. Action is pinned to a specific commit hash
2. Sudo access is disabled
3. Network egress is blocked by default
4. Only essential GitHub API endpoint is allowed

Let's verify if we're using the latest stable version of harden-runner:

#!/bin/bash
# Description: Check if the harden-runner version is up to date
# Expected: Version 2.5.0 should be the latest stable release

# Get the latest release version from GitHub API
gh api repos/step-security/harden-runner/releases/latest --jq .tag_name

---

6-8: LGTM! Default permissions properly restricted.

The addition of explicit top-level permissions following the principle of least privilege is a good security practice.

Let's verify that read-only access is sufficient for the workflow triggers:

✅ Verification successful

Top-level read permission is appropriate and secure

The workflow correctly implements a layered permissions approach:

• Top-level contents: read sets a secure default
• Job-level permissions are explicitly elevated only for the dependabot job where needed
• The workflow only performs write operations in the dependabot job (auto-merge) which has its own elevated permissions

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify if the workflow requires additional permissions for its triggers
# Expected: No direct API calls or write operations in the workflow steps outside the dependabot job

# Search for any potential GitHub API calls or write operations in the workflow
rg -l 'github|gh' .github/workflows/dependabot-automerge.yml

Length of output: 282

---

Script:

#!/bin/bash
# Let's examine the full content of the workflow file to understand all operations
cat .github/workflows/dependabot-automerge.yml

Length of output: 1291