From fa76c249b82936df49a3d371984c005da164b53e Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 15 Jan 2023 07:38:54 -0800 Subject: [PATCH 01/28] Create kb-test.yml --- .github/workflows/kb-test.yml | 38 +++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/kb-test.yml diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml new file mode 100644 index 000000000..c129faa68 --- /dev/null +++ b/.github/workflows/kb-test.yml @@ -0,0 +1,38 @@ +name: Knowledge-base Test +on: + push: + branches: + - knowledge-base # to test new KBs + +permissions: # added using https://github.com/step-security/secure-workflows + contents: read +concurrency: + group: ${{ github.workflow }} +jobs: + test: + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1 + with: + allowed-endpoints: > + api.github.com:443 + github.com:443 + proxy.golang.org:443 + sum.golang.org:443 + storage.googleapis.com:443 + objects.githubusercontent.com:443 + golang.org:443 + - name: Checkout + uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Set up Go + uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3 + with: + go-version: 1.17 + - name: Run coverage + run: go test ./... -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic + env: + PAT: ${{ secrets.PAT }} \ No newline at end of file From 4b28f43fa9c5e7efbfdda16632fbeb8dd9de48f9 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 15 Jan 2023 07:44:37 -0800 Subject: [PATCH 02/28] Delete action-security.yml Action no longer exists --- .../actions/bflad/pr-size-labeler/action-security.yml | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 knowledge-base/actions/bflad/pr-size-labeler/action-security.yml diff --git a/knowledge-base/actions/bflad/pr-size-labeler/action-security.yml b/knowledge-base/actions/bflad/pr-size-labeler/action-security.yml deleted file mode 100644 index 2e924c462..000000000 --- a/knowledge-base/actions/bflad/pr-size-labeler/action-security.yml +++ /dev/null @@ -1,10 +0,0 @@ -name: 'Pull Request size labeler' -github-token: - action-input: - input: GITHUB_TOKEN - is-default: false - permissions: - pull-requests: write - pull-requests-reason: to add labels & comment on PRs #Checkout: https://github.com/bflad/pr-size-labeler/blob/master/src/github.sh#L15 - -#Fixes #523 \ No newline at end of file From 3e8bde11e4bc85e53b4db0db1bde94c51021edff Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 15 Jan 2023 07:53:21 -0800 Subject: [PATCH 03/28] Add cache actions --- .../actions/actions/cache/restore/action-security.yml | 2 ++ knowledge-base/actions/actions/cache/save/action-security.yml | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 knowledge-base/actions/actions/cache/restore/action-security.yml create mode 100644 knowledge-base/actions/actions/cache/save/action-security.yml diff --git a/knowledge-base/actions/actions/cache/restore/action-security.yml b/knowledge-base/actions/actions/cache/restore/action-security.yml new file mode 100644 index 000000000..d9b8814f0 --- /dev/null +++ b/knowledge-base/actions/actions/cache/restore/action-security.yml @@ -0,0 +1,2 @@ +name: 'Restore Cache' # actions/cache/restore +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/actions/cache/save/action-security.yml b/knowledge-base/actions/actions/cache/save/action-security.yml new file mode 100644 index 000000000..963a8d7a0 --- /dev/null +++ b/knowledge-base/actions/actions/cache/save/action-security.yml @@ -0,0 +1,2 @@ +name: 'Save a cache' # actions/cache/save +# GITHUB_TOKEN not used \ No newline at end of file From c5ea11984bb80953d244351c9554346fed535d92 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 15 Jan 2023 08:09:16 -0800 Subject: [PATCH 04/28] Add more KBs --- .../al-cheb/configure-pagefile-action/action-security.yml | 2 ++ .../anchore/sbom-action/download-syft/action-security.yml | 2 ++ .../carlosperate/download-file-action/action-security.yml | 2 ++ .../actions/ilteoood/docker_buildx/action-security.yml | 2 ++ .../actions/myci-actions/add-deb-repo/action-security.yml | 2 ++ .../actions/protocol/multiple-go-modules/action-security.yml | 2 ++ knowledge-base/actions/test-summary/action/action-security.yml | 2 ++ .../xt0rted/dotnet-format-problem-matcher/action-security.yml | 2 ++ 8 files changed, 16 insertions(+) create mode 100644 knowledge-base/actions/al-cheb/configure-pagefile-action/action-security.yml create mode 100644 knowledge-base/actions/anchore/sbom-action/download-syft/action-security.yml create mode 100644 knowledge-base/actions/carlosperate/download-file-action/action-security.yml create mode 100644 knowledge-base/actions/ilteoood/docker_buildx/action-security.yml create mode 100644 knowledge-base/actions/myci-actions/add-deb-repo/action-security.yml create mode 100644 knowledge-base/actions/protocol/multiple-go-modules/action-security.yml create mode 100644 knowledge-base/actions/test-summary/action/action-security.yml create mode 100644 knowledge-base/actions/xt0rted/dotnet-format-problem-matcher/action-security.yml diff --git a/knowledge-base/actions/al-cheb/configure-pagefile-action/action-security.yml b/knowledge-base/actions/al-cheb/configure-pagefile-action/action-security.yml new file mode 100644 index 000000000..2baf764db --- /dev/null +++ b/knowledge-base/actions/al-cheb/configure-pagefile-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'Configure Pagefile' # al-cheb/configure-pagefile-action +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/anchore/sbom-action/download-syft/action-security.yml b/knowledge-base/actions/anchore/sbom-action/download-syft/action-security.yml new file mode 100644 index 000000000..196003651 --- /dev/null +++ b/knowledge-base/actions/anchore/sbom-action/download-syft/action-security.yml @@ -0,0 +1,2 @@ +name: "Anchore SBOM Action / Download Syft" # anchore/sbom-action/download-syft +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/carlosperate/download-file-action/action-security.yml b/knowledge-base/actions/carlosperate/download-file-action/action-security.yml new file mode 100644 index 000000000..d24560dc1 --- /dev/null +++ b/knowledge-base/actions/carlosperate/download-file-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'Download File To Workspace' # carlosperate/download-file-action +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/ilteoood/docker_buildx/action-security.yml b/knowledge-base/actions/ilteoood/docker_buildx/action-security.yml new file mode 100644 index 000000000..1175dc5e8 --- /dev/null +++ b/knowledge-base/actions/ilteoood/docker_buildx/action-security.yml @@ -0,0 +1,2 @@ +name: "Customizable Docker Buildx" # ilteoood/docker_buildx +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/myci-actions/add-deb-repo/action-security.yml b/knowledge-base/actions/myci-actions/add-deb-repo/action-security.yml new file mode 100644 index 000000000..46769fcec --- /dev/null +++ b/knowledge-base/actions/myci-actions/add-deb-repo/action-security.yml @@ -0,0 +1,2 @@ +name: 'Add debian repository' # myci-actions/add-deb-repo +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/protocol/multiple-go-modules/action-security.yml b/knowledge-base/actions/protocol/multiple-go-modules/action-security.yml new file mode 100644 index 000000000..8c70e15bf --- /dev/null +++ b/knowledge-base/actions/protocol/multiple-go-modules/action-security.yml @@ -0,0 +1,2 @@ +name: 'Multiple Go Modules' # protocol/multiple-go-modules +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/test-summary/action/action-security.yml b/knowledge-base/actions/test-summary/action/action-security.yml new file mode 100644 index 000000000..f70bc387d --- /dev/null +++ b/knowledge-base/actions/test-summary/action/action-security.yml @@ -0,0 +1,2 @@ +name: 'TestForest Dashboard' # test-summary/action +# GITHUB_TOKEN not used \ No newline at end of file diff --git a/knowledge-base/actions/xt0rted/dotnet-format-problem-matcher/action-security.yml b/knowledge-base/actions/xt0rted/dotnet-format-problem-matcher/action-security.yml new file mode 100644 index 000000000..e51ff334e --- /dev/null +++ b/knowledge-base/actions/xt0rted/dotnet-format-problem-matcher/action-security.yml @@ -0,0 +1,2 @@ +name: "Problem Matcher for dotnet-format" # xt0rted/dotnet-format-problem-matcher +# GITHUB_TOKEN not used \ No newline at end of file From 86bfa75eaeda866aa8fff9bf8addc1a8ce6e48dd Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Wed, 25 Jan 2023 20:16:55 +0000 Subject: [PATCH 05/28] added action-security.yml for matrix-org/setup-python-poetry --- .../actions/matrix-org/setup-python-poetry/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/matrix-org/setup-python-poetry/action-security.yml diff --git a/knowledge-base/actions/matrix-org/setup-python-poetry/action-security.yml b/knowledge-base/actions/matrix-org/setup-python-poetry/action-security.yml new file mode 100644 index 000000000..c6f194a45 --- /dev/null +++ b/knowledge-base/actions/matrix-org/setup-python-poetry/action-security.yml @@ -0,0 +1,2 @@ +name: Setup Python and Poetry # matrix-org/setup-python-poetry +# GITHUB_TOKEN not used From 25518159513b23abb9701429547f7a37f97372ab Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Wed, 25 Jan 2023 20:16:59 +0000 Subject: [PATCH 06/28] added action-security.yml for matrix-org/done-action --- .../actions/matrix-org/done-action/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/matrix-org/done-action/action-security.yml diff --git a/knowledge-base/actions/matrix-org/done-action/action-security.yml b/knowledge-base/actions/matrix-org/done-action/action-security.yml new file mode 100644 index 000000000..11d5aab27 --- /dev/null +++ b/knowledge-base/actions/matrix-org/done-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'Done' # matrix-org/done-action +# GITHUB_TOKEN not used From 135a4e1a65b96f4b6c61bf590535538da733cfec Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Thu, 26 Jan 2023 21:35:58 +0000 Subject: [PATCH 07/28] added action-security.yml for snok/install-poetry --- knowledge-base/actions/snok/install-poetry/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/snok/install-poetry/action-security.yml diff --git a/knowledge-base/actions/snok/install-poetry/action-security.yml b/knowledge-base/actions/snok/install-poetry/action-security.yml new file mode 100644 index 000000000..c90c311b2 --- /dev/null +++ b/knowledge-base/actions/snok/install-poetry/action-security.yml @@ -0,0 +1,2 @@ +# Action is docker or composite based. +#Need to perform manual analysis \ No newline at end of file From 468b02dcaf35bfe04782f4e01c12883714933159 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Fri, 27 Jan 2023 15:11:58 +0000 Subject: [PATCH 08/28] added action-security.yml for giantswarm/install-binary-action --- .../giantswarm/install-binary-action/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/giantswarm/install-binary-action/action-security.yml diff --git a/knowledge-base/actions/giantswarm/install-binary-action/action-security.yml b/knowledge-base/actions/giantswarm/install-binary-action/action-security.yml new file mode 100644 index 000000000..c8bf6180f --- /dev/null +++ b/knowledge-base/actions/giantswarm/install-binary-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'Install Tool' # giantswarm/install-binary-action +# GITHUB_TOKEN not used From ab9654a152a5ee8c33729d58d69b56a86b06c739 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Fri, 27 Jan 2023 20:14:41 +0000 Subject: [PATCH 09/28] added action-security.yml for pnpm/action-setup --- knowledge-base/actions/pnpm/action-setup/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/pnpm/action-setup/action-security.yml diff --git a/knowledge-base/actions/pnpm/action-setup/action-security.yml b/knowledge-base/actions/pnpm/action-setup/action-security.yml new file mode 100644 index 000000000..c6b79016f --- /dev/null +++ b/knowledge-base/actions/pnpm/action-setup/action-security.yml @@ -0,0 +1,2 @@ +name: Setup pnpm # pnpm/action-setup +# GITHUB_TOKEN not used From 5b46397d6f9a61d74b73d1f4558b5f20baadd534 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Sat, 28 Jan 2023 02:53:35 +0000 Subject: [PATCH 10/28] added action-security.yml for SAP/project-piper-action --- .../actions/sap/project-piper-action/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/sap/project-piper-action/action-security.yml diff --git a/knowledge-base/actions/sap/project-piper-action/action-security.yml b/knowledge-base/actions/sap/project-piper-action/action-security.yml new file mode 100644 index 000000000..23d5a8b4c --- /dev/null +++ b/knowledge-base/actions/sap/project-piper-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'Project "Piper" Action' # SAP/project-piper-action +# GITHUB_TOKEN not used From 519481581d132d9e74c477820b59817b91577e0a Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Fri, 27 Jan 2023 23:59:10 -0800 Subject: [PATCH 11/28] Update KB --- .../actions/snok/install-poetry/action-security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/knowledge-base/actions/snok/install-poetry/action-security.yml b/knowledge-base/actions/snok/install-poetry/action-security.yml index c90c311b2..230948156 100644 --- a/knowledge-base/actions/snok/install-poetry/action-security.yml +++ b/knowledge-base/actions/snok/install-poetry/action-security.yml @@ -1,2 +1,2 @@ -# Action is docker or composite based. -#Need to perform manual analysis \ No newline at end of file +name: "Install Poetry Action" #snok/install-poetry +# GITHUB_TOKEN not used From 5ee0722dc919d66dbbb216e4c2ca514f2e90f5e7 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Tue, 31 Jan 2023 00:52:10 +0000 Subject: [PATCH 12/28] added action-security.yml for isbang/setup-awscli --- knowledge-base/actions/isbang/setup-awscli/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/isbang/setup-awscli/action-security.yml diff --git a/knowledge-base/actions/isbang/setup-awscli/action-security.yml b/knowledge-base/actions/isbang/setup-awscli/action-security.yml new file mode 100644 index 000000000..7784fbd72 --- /dev/null +++ b/knowledge-base/actions/isbang/setup-awscli/action-security.yml @@ -0,0 +1,2 @@ +name: 'Setup AWS cli' # isbang/setup-awscli +# GITHUB_TOKEN not used From 93bc03cc484d6b770be70ed6e9a025d6d6ed7efa Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Tue, 31 Jan 2023 13:35:28 +0000 Subject: [PATCH 13/28] added action-security.yml for roryprimrose/set-vs-sdk-project-version --- .../roryprimrose/set-vs-sdk-project-version/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml diff --git a/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml b/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml new file mode 100644 index 000000000..50a3b11de --- /dev/null +++ b/knowledge-base/actions/roryprimrose/set-vs-sdk-project-version/action-security.yml @@ -0,0 +1,2 @@ +name: 'Version Visual Studio SDK projects' # roryprimrose/set-vs-sdk-project-version +# GITHUB_TOKEN not used From 73165f3e450e809f44bf6da8835906c416fac806 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 5 Feb 2023 23:06:58 -0800 Subject: [PATCH 14/28] [KB] Add GitHub token permissions for step-security/wait-for-secrets (#1856) --- .../step-security/wait-for-secrets/action-security.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 knowledge-base/actions/step-security/wait-for-secrets/action-security.yml diff --git a/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml new file mode 100644 index 000000000..cef0fc602 --- /dev/null +++ b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml @@ -0,0 +1,7 @@ +name: "Wait for secrets" +github-token: + action-input: + input: token + is-default: true + permissions: + id-token: write From 8677bd48822bdd0abfd50da8defcd95bda64ca99 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 5 Feb 2023 23:12:22 -0800 Subject: [PATCH 15/28] [KB] Add GitHub token permissions for codfish/semantic-release-action (#1863) --- .../codfish/semantic-release-action/action-security.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 knowledge-base/actions/codfish/semantic-release-action/action-security.yml diff --git a/knowledge-base/actions/codfish/semantic-release-action/action-security.yml b/knowledge-base/actions/codfish/semantic-release-action/action-security.yml new file mode 100644 index 000000000..59938e98f --- /dev/null +++ b/knowledge-base/actions/codfish/semantic-release-action/action-security.yml @@ -0,0 +1,7 @@ +name: 'Semantic Release Action' +github-token: + environment-variable-name: GITHUB_TOKEN + is-default: false + permissions: + contents: write + contents-reason: to create release tags From aba415ac7941863c32283efd353aeb1aa40f8cf8 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 5 Feb 2023 23:36:27 -0800 Subject: [PATCH 16/28] Update action-security.yml --- .../actions/step-security/wait-for-secrets/action-security.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml index cef0fc602..1a984d6c8 100644 --- a/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml +++ b/knowledge-base/actions/step-security/wait-for-secrets/action-security.yml @@ -5,3 +5,4 @@ github-token: is-default: true permissions: id-token: write + id-token-reason: to authenticate Action to API From 96955ce5f132030704d5599eefad3d62d93f2fa8 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 5 Feb 2023 23:42:24 -0800 Subject: [PATCH 17/28] [KB] Add GitHub token permissions for changesets/action (#1871) --- .../actions/changesets/action/action-security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 knowledge-base/actions/changesets/action/action-security.yml diff --git a/knowledge-base/actions/changesets/action/action-security.yml b/knowledge-base/actions/changesets/action/action-security.yml new file mode 100644 index 000000000..91e20bd67 --- /dev/null +++ b/knowledge-base/actions/changesets/action/action-security.yml @@ -0,0 +1,8 @@ +name: Changesets +github-token: + environment-variable-name: GITHUB_TOKEN + permissions: + pull-requests: write + pull-requests-reason: to create PRs # https://github.com/changesets/action/issues/220#issuecomment-1272514354 + contents: write + contents-reason: to push to the repo # https://github.com/changesets/action/issues/220#issuecomment-1272514354 From 1d6439712727805edc0297cda35f334c7efc3193 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 5 Feb 2023 23:49:01 -0800 Subject: [PATCH 18/28] [KB] Add GitHub token permissions for peaceiris/actions-mdbook (#1885) --- .../actions/peaceiris/actions-mdbook/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml diff --git a/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml b/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml new file mode 100644 index 000000000..f59b1334b --- /dev/null +++ b/knowledge-base/actions/peaceiris/actions-mdbook/action-security.yml @@ -0,0 +1,2 @@ +name: 'mdBook Action' +# GITHUB_TOKEN not used From f69f03b9ad3a473bfa9655ddaac5554b7c2c9322 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 5 Feb 2023 23:57:23 -0800 Subject: [PATCH 19/28] [KB] Add GitHub token permissions for actions/delete-package-versions (#1887) --- .../actions/delete-package-versions/action-security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 knowledge-base/actions/actions/delete-package-versions/action-security.yml diff --git a/knowledge-base/actions/actions/delete-package-versions/action-security.yml b/knowledge-base/actions/actions/delete-package-versions/action-security.yml new file mode 100644 index 000000000..0a4986013 --- /dev/null +++ b/knowledge-base/actions/actions/delete-package-versions/action-security.yml @@ -0,0 +1,8 @@ +name: Delete Package Versions +github-token: + action-input: + input: token + is-default: true + permissions: + packages: write + packages-reason: to delete packages From 7aa3f02a2eda475b955054020d17045dc26ce7df Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 6 Feb 2023 00:01:42 -0800 Subject: [PATCH 20/28] [KB] Add GitHub token permissions for arduino/setup-protoc (#1888) --- knowledge-base/actions/arduino/setup-protoc/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/arduino/setup-protoc/action-security.yml diff --git a/knowledge-base/actions/arduino/setup-protoc/action-security.yml b/knowledge-base/actions/arduino/setup-protoc/action-security.yml new file mode 100644 index 000000000..d469d6890 --- /dev/null +++ b/knowledge-base/actions/arduino/setup-protoc/action-security.yml @@ -0,0 +1,2 @@ +name: 'Setup protoc' +# GITHUB_TOKEN only used to prevent throttling From 2582288f3730790f4b2fd5fc55cf3d4b7a34fbc9 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 6 Feb 2023 00:09:24 -0800 Subject: [PATCH 21/28] [KB] Add GitHub token permissions for actions/add-to-project (#1889) --- .../actions/actions/add-to-project/action-security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 knowledge-base/actions/actions/add-to-project/action-security.yml diff --git a/knowledge-base/actions/actions/add-to-project/action-security.yml b/knowledge-base/actions/actions/add-to-project/action-security.yml new file mode 100644 index 000000000..6dc15d8a1 --- /dev/null +++ b/knowledge-base/actions/actions/add-to-project/action-security.yml @@ -0,0 +1,8 @@ +name: Add To GitHub projects +github-token: + action-input: + input: github-token + is-default: false + permissions: + repository-projects: write + repository-projects-reason: to assign issues and PRs to repo project From 89a6399a519f221b3b08a397c431b931e630395f Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Thu, 9 Mar 2023 16:30:48 +0000 Subject: [PATCH 22/28] added action-security.yml for GabrielBB/xvfb-action --- .../actions/gabrielbb/xvfb-action/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/gabrielbb/xvfb-action/action-security.yml diff --git a/knowledge-base/actions/gabrielbb/xvfb-action/action-security.yml b/knowledge-base/actions/gabrielbb/xvfb-action/action-security.yml new file mode 100644 index 000000000..c1d9c156f --- /dev/null +++ b/knowledge-base/actions/gabrielbb/xvfb-action/action-security.yml @@ -0,0 +1,2 @@ +name: 'gabrielbb/xvfb-action' # GabrielBB/xvfb-action +# GITHUB_TOKEN not used From 50035ce64d5bf302764c78f3c3bc95f9a0af36d0 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Tue, 14 Mar 2023 19:39:25 +0000 Subject: [PATCH 23/28] added action-security.yml for uraimo/run-on-arch-action --- .../actions/uraimo/run-on-arch-action/action-security.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml diff --git a/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml new file mode 100644 index 000000000..e90cf5754 --- /dev/null +++ b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml @@ -0,0 +1 @@ +# Error in determining permissions \ No newline at end of file From 76d453071361ec06c9a89f382ac5059d9b9debe6 Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Tue, 14 Mar 2023 19:39:32 +0000 Subject: [PATCH 24/28] added action-security.yml for lukka/run-cmake --- knowledge-base/actions/lukka/run-cmake/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/lukka/run-cmake/action-security.yml diff --git a/knowledge-base/actions/lukka/run-cmake/action-security.yml b/knowledge-base/actions/lukka/run-cmake/action-security.yml new file mode 100644 index 000000000..b82a5a4d8 --- /dev/null +++ b/knowledge-base/actions/lukka/run-cmake/action-security.yml @@ -0,0 +1,2 @@ +name: 'run-cmake' # lukka/run-cmake +# GITHUB_TOKEN not used From 11073dee261d2b51266747a9e66506e2e446642f Mon Sep 17 00:00:00 2001 From: step-security-bot Date: Tue, 14 Mar 2023 20:21:41 +0000 Subject: [PATCH 25/28] added action-security.yml for RustCrypto/actions/cargo-cache --- .../actions/rustcrypto/actions/cargo-cache/action-security.yml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 knowledge-base/actions/rustcrypto/actions/cargo-cache/action-security.yml diff --git a/knowledge-base/actions/rustcrypto/actions/cargo-cache/action-security.yml b/knowledge-base/actions/rustcrypto/actions/cargo-cache/action-security.yml new file mode 100644 index 000000000..12df600bb --- /dev/null +++ b/knowledge-base/actions/rustcrypto/actions/cargo-cache/action-security.yml @@ -0,0 +1,2 @@ +name: "cargo-cache" # RustCrypto/actions/cargo-cache +# GITHUB_TOKEN not used From 40496774afbb1a565611a4bfa5ba0f12b3b04084 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 19 Mar 2023 13:14:16 -0700 Subject: [PATCH 26/28] Update action-security.yml --- .../uraimo/run-on-arch-action/action-security.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml index e90cf5754..01bd03ca2 100644 --- a/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml +++ b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml @@ -1 +1,8 @@ -# Error in determining permissions \ No newline at end of file +name: 'Run on architecture' +github-token: + action-input: + input: githubToken + is-default: false + permissions: + packages: write + packages-reason: to caching Docker images #Reference: https://github.com/uraimo/run-on-arch-action/blob/a8003307a739516fdd80ee6d3da8924db811b8da/action.yml#L17 From 5d54faa95b395e724c9c5930c256de55cfc67a78 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Sun, 19 Mar 2023 13:15:24 -0700 Subject: [PATCH 27/28] Update action-security.yml --- .../actions/uraimo/run-on-arch-action/action-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml index 01bd03ca2..124bc75ca 100644 --- a/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml +++ b/knowledge-base/actions/uraimo/run-on-arch-action/action-security.yml @@ -5,4 +5,4 @@ github-token: is-default: false permissions: packages: write - packages-reason: to caching Docker images #Reference: https://github.com/uraimo/run-on-arch-action/blob/a8003307a739516fdd80ee6d3da8924db811b8da/action.yml#L17 + packages-reason: to cache docker images #Reference: https://github.com/uraimo/run-on-arch-action/blob/a8003307a739516fdd80ee6d3da8924db811b8da/action.yml#L17 From b83b685f2d339ba25736616646be74ea1d0aef92 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 19 Mar 2023 13:54:22 -0700 Subject: [PATCH 28/28] [KB] Add GitHub token permissions for actions/dependency-review-action (#1995) --- .../actions/dependency-review-action/action-security.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 knowledge-base/actions/actions/dependency-review-action/action-security.yml diff --git a/knowledge-base/actions/actions/dependency-review-action/action-security.yml b/knowledge-base/actions/actions/dependency-review-action/action-security.yml new file mode 100644 index 000000000..3b1493c23 --- /dev/null +++ b/knowledge-base/actions/actions/dependency-review-action/action-security.yml @@ -0,0 +1,9 @@ +name: 'Dependency Review' +github-token: + action-input: + input: repo-token + is-default: true + permissions: + pull-requests: write + pull-requests-reason: to post comments on PRs #Checkout: https://github.com/actions/dependency-review-action/blob/e3fb5152be474702523c77d8f5ecd4c0a5bde872/action.yml#L44 + pull-requests-if: ${{ contains(with, 'comment-summary-in-pr') && with['comment-summary-in-pr'] == 'true' }}