mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-08 22:12:56 +00:00
88ea855cff
This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @areyou1or0. Please merge the Pull Request to incorporate the requested changes. Please tag @areyou1or0 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Harden Runner [Harden-Runner](https://github.com/step-security/harden-runner) is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without `sudo` access. See how popular open-source projects use Harden-Runner [here](https://docs.stepsecurity.io/whos-using-harden-runner). <details> <summary>Harden runner usage</summary> You can find link to view insights and policy recommendation in the build log <img src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true" width="60%" height="60%"> Please refer to [documentation](https://docs.stepsecurity.io/harden-runner) to find more details. </details> will fix https://github.com/neondatabase/cloud/issues/26141
72 lines
2.3 KiB
YAML
72 lines
2.3 KiB
YAML
name: Report Workflow Stats Batch
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '*/15 * * * *'
|
|
- cron: '25 0 * * *'
|
|
- cron: '25 1 * * 6'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
gh-workflow-stats-batch-2h:
|
|
name: GitHub Workflow Stats Batch 2 hours
|
|
if: github.event.schedule == '*/15 * * * *'
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
actions: read
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Export Workflow Run for the past 2 hours
|
|
uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
|
|
with:
|
|
db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
|
|
db_table: "gh_workflow_stats_neon"
|
|
gh_token: ${{ secrets.GITHUB_TOKEN }}
|
|
duration: '2h'
|
|
|
|
gh-workflow-stats-batch-48h:
|
|
name: GitHub Workflow Stats Batch 48 hours
|
|
if: github.event.schedule == '25 0 * * *'
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
actions: read
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Export Workflow Run for the past 48 hours
|
|
uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
|
|
with:
|
|
db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
|
|
db_table: "gh_workflow_stats_neon"
|
|
gh_token: ${{ secrets.GITHUB_TOKEN }}
|
|
duration: '48h'
|
|
|
|
gh-workflow-stats-batch-30d:
|
|
name: GitHub Workflow Stats Batch 30 days
|
|
if: github.event.schedule == '25 1 * * 6'
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
actions: read
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Export Workflow Run for the past 30 days
|
|
uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
|
|
with:
|
|
db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
|
|
db_table: "gh_workflow_stats_neon"
|
|
gh_token: ${{ secrets.GITHUB_TOKEN }}
|
|
duration: '720h'
|