mirror of
https://github.com/datahaven-xyz/datahaven
synced 2026-05-23 17:28:23 +00:00
746fce9328
## Summary This PR addresses several security vulnerabilities and applies hardening measures to the GitHub Actions workflows: - **Replace `secrets: inherit` with explicit secret passing** - Prevents unnecessary exposure of all repository secrets to called workflows - **Add SHA256 checksum verification for downloaded binaries** - Protects against supply chain attacks via compromised upstream releases - **Add GitHub Environment protections for release workflows** - Requires approval before publishing to Docker Hub or creating releases - **Add explicit minimal permissions to all workflows** - Follows principle of least privilege, removes unnecessary `packages: write` from CI.yml ## Changes by Category ### 1. Explicit Secret Passing | Workflow | Before | After | |----------|--------|-------| | CI.yml → docker-build-ci | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | | CI.yml → docker-build-release | `secrets: inherit` | Explicit `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN` | | CI.yml → e2e-tests | `secrets: inherit` | No secrets (GITHUB_TOKEN is automatic) | ### 2. Binary Checksum Verification | Workflow | Binary | SHA256 | |----------|--------|--------| | task-rust-lint.yml | taplo 0.8.1 | `c62baa73c9d7c1572...` | | task-e2e.yml | kurtosis 1.11.99 | `5e88e98c1b255362...` | ### 3. Environment Protections | Workflow | Job | Environment | |----------|-----|-------------| | task-docker-release.yml | build-test-push | `production` | | task-publish-binary.yml | publish-draft-release | `releases` | | task-publish-binary.yml | docker-release-candidate | `production` | | task-publish-runtime.yml | publish-draft-release | `releases` | ### 4. Explicit Permissions All 14 workflow files now have explicit `permissions:` blocks with minimal required access. Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Ahmad Kaouk <56095276+ahmadkaouk@users.noreply.github.com>
105 lines
3.1 KiB
YAML
105 lines
3.1 KiB
YAML
# Lint and Format: CI for Rust components (DataHaven runtime and node Rust tests)
|
|
#
|
|
# Overview:
|
|
# 1. Check Rust Format: Check that the Rust code is formatted correctly
|
|
# 2. Check Rust Lint: Check that the Rust code is linted correctly
|
|
|
|
name: Lint and Format
|
|
|
|
on:
|
|
workflow_call:
|
|
workflow_dispatch:
|
|
inputs:
|
|
pull_request:
|
|
description: set to pull_request number to execute on external pr
|
|
required: false
|
|
|
|
# Explicit minimal permissions
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
WORKING_DIR: operator
|
|
SCCACHE_GHA_ENABLED: "true"
|
|
RUSTC_WRAPPER: "sccache"
|
|
|
|
jobs:
|
|
cargo-fmt:
|
|
name: "Check format with rustfmt"
|
|
runs-on:
|
|
group: DH-runners
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ env.WORKING_DIR }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: ./.github/workflows/actions/setup-env
|
|
with:
|
|
cache-key: FMT
|
|
install-deps: false # Self-hosted runners have deps pre-installed
|
|
|
|
- name: Run cargo fmt
|
|
run: cargo fmt --all -- --check
|
|
|
|
check-rust-lint:
|
|
name: "Check lint with clippy"
|
|
runs-on:
|
|
group: DH-runners
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ env.WORKING_DIR }}
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: ./.github/workflows/actions/setup-env
|
|
with:
|
|
cache-key: LINT
|
|
install-deps: false # Self-hosted runners have deps pre-installed
|
|
|
|
- name: Set build flags
|
|
run: echo "RUSTFLAGS=${{ env.RUSTFLAGS }} -C linker=clang -C link-arg=-fuse-ld=mold" >> $GITHUB_ENV
|
|
|
|
- name: Run cargo clippy
|
|
run: SKIP_WASM_BUILD=1 cargo clippy --features try-runtime,runtime-benchmarks --locked --release
|
|
|
|
check-cargo-sort:
|
|
name: "Check Cargo sort"
|
|
runs-on:
|
|
group: DH-runners
|
|
|
|
defaults:
|
|
run:
|
|
working-directory: ${{ env.WORKING_DIR }}
|
|
|
|
steps:
|
|
- name: Check out the repository to the runner
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install taplo locally
|
|
run: |
|
|
# Install taplo in user space without sudo
|
|
TAPLO_VERSION="0.8.1"
|
|
# SHA256 checksum for taplo-full-linux-x86_64.gz (decompressed binary)
|
|
TAPLO_SHA256="c62baa73c9d7c1572047b1a502ca805e1372e5db7c9a935532f702f12d6115ce"
|
|
|
|
if ! command -v taplo &> /dev/null || [[ $(taplo --version | grep -oP '\d+\.\d+\.\d+' | head -1) != "$TAPLO_VERSION" ]]; then
|
|
echo "Installing taplo $TAPLO_VERSION in ~/.local/bin"
|
|
mkdir -p ~/.local/bin
|
|
curl -Ls "https://github.com/tamasfe/taplo/releases/download/${TAPLO_VERSION}/taplo-full-linux-x86_64.gz" | \
|
|
gzip -d > ~/.local/bin/taplo
|
|
|
|
# Verify checksum before making executable
|
|
echo "Verifying taplo checksum..."
|
|
echo "${TAPLO_SHA256} $HOME/.local/bin/taplo" | sha256sum -c -
|
|
|
|
chmod +x ~/.local/bin/taplo
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
export PATH="$HOME/.local/bin:$PATH"
|
|
else
|
|
echo "taplo is already installed: $(taplo --version)"
|
|
fi
|
|
|
|
- run: taplo fmt --check
|
|
- run: taplo lint
|