From 555410249ae6b474e74cc91d812c888b9eb8876c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 13:54:55 +0100 Subject: [PATCH 1/6] Setup Dependabot --- .github/dependabot.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..1ace442 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + + - package-ecosystem: "mix" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 7 + + - package-ecosystem: "npm" + directory: "/assets" + schedule: + interval: "weekly" + cooldown: + default-days: 7 From 285ab28ecce7bc9bbcbae8518d90b30715751871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 13:55:37 +0100 Subject: [PATCH 2/6] Setup CI Scanning via codeql / zizmor --- .github/workflows/codeql.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..0204068 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,52 @@ +name: "CodeQL Advanced" + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + schedule: + - cron: "29 8 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: "ubuntu-latest" + permissions: + security-events: write + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Initialize CodeQL + uses: github/codeql-action/init@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + category: "/language:${{matrix.language}}" + + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 From 5ee2f2877f5d6b18e0f3b7abde813b3269d617cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 13:58:14 +0100 Subject: [PATCH 3/6] Add explicit minimal permissions to CI workflow Fixes zizmor excessive-permissions audit warning by explicitly setting read-only contents permission instead of using defaults. https://docs.zizmor.sh/audits/#excessive-permissions --- .github/workflows/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2d65def..00eb8d5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -2,6 +2,9 @@ name: CI on: [push, pull_request] +permissions: + contents: read + jobs: test: env: From 3a1b23372be0114400422e011b81b133393e192e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 13:59:12 +0100 Subject: [PATCH 4/6] Pin GitHub Actions --- .github/workflows/main.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 00eb8d5..722051b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,9 +11,9 @@ jobs: MIX_ENV: test runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - - uses: erlef/setup-beam@v1 + - uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 with: otp-version: 27.2 elixir-version: 1.18.1 @@ -47,14 +47,14 @@ jobs: WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCLOUD_WORKFLOW_IDENTITY_POOL_PROVIDER }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Google auth id: auth - uses: 'google-github-actions/auth@v2' + uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed' # v2.1.13 if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} with: token_format: 'access_token' @@ -64,7 +64,7 @@ jobs: - name: Docker Auth id: docker-auth - uses: 'docker/login-action@v3' + uses: 'docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9' # v3.7.0 if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} with: registry: gcr.io @@ -73,7 +73,7 @@ jobs: - name: Build and push by digest id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: platforms: ${{ matrix.platform }} outputs: type=image,name=gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} @@ -89,7 +89,7 @@ jobs: - name: Upload digest if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: digests-${{ matrix.runner }} path: /tmp/digests/* @@ -113,23 +113,23 @@ jobs: - name: Set short git commit SHA run: echo "COMMIT_SHORT_SHA=${GITHUB_SHA::7}" >> $GITHUB_ENV - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Google auth id: auth - uses: 'google-github-actions/auth@v2' + uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed' # v2.1.13 with: token_format: 'access_token' project_id: ${{ env.PROJECT_ID }} service_account: ${{ env.SERVICE_ACCOUNT }} workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} - name: Docker Auth - uses: 'docker/login-action@v3' + uses: 'docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9' # v3.7.0 with: registry: gcr.io username: 'oauth2accesstoken' From a774030e6cb8e8b48b41d7b91d67fe16253b1559 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 14:00:15 +0100 Subject: [PATCH 5/6] Disable persist-credentials for actions/checkout --- .github/workflows/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 722051b..1ae1bb9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + with: + persist-credentials: false - uses: erlef/setup-beam@ee09b1e59bb240681c382eb1f0abc6a04af72764 # v1.23.0 with: @@ -48,6 +50,8 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 From 9928c57bd7211ff28751509874ae50af831f41ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= Date: Mon, 23 Mar 2026 14:01:29 +0100 Subject: [PATCH 6/6] Bash Escape Command Interpolations --- .github/workflows/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1ae1bb9..8d3d990 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -88,8 +88,10 @@ jobs: if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} run: | mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" + digest="${DIGEST}" touch "/tmp/digests/${digest#sha256:}" + env: + DIGEST: ${{ steps.build.outputs.digest }} - name: Upload digest if: ${{ github.event_name != 'pull_request' && env.SERVICE_ACCOUNT != '' }} @@ -142,5 +144,5 @@ jobs: working-directory: /tmp/digests run: | docker buildx imagetools create \ - -t gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHORT_SHA }} \ - $(printf 'gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) + -t gcr.io/${PROJECT_ID}/${IMAGE_NAME}:${COMMIT_SHORT_SHA} \ + $(printf 'gcr.io/${PROJECT_ID}/${IMAGE_NAME}@sha256:%s ' *)