diff --git a/.github/workflows/book-tests.yml b/.github/workflows/book-tests.yml index 77c40eb7..6832dbad 100644 --- a/.github/workflows/book-tests.yml +++ b/.github/workflows/book-tests.yml @@ -9,6 +9,9 @@ on: paths: - 'book/**' +permissions: + contents: read + jobs: test: runs-on: warp-ubuntu-latest-x64-16x @@ -16,7 +19,12 @@ jobs: timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install mdbook run: | @@ -38,7 +46,12 @@ jobs: timeout-minutes: 60 steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install mdbook-linkcheck run: | diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ff824e69..1a8d279e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -26,8 +26,13 @@ jobs: runner: warp-ubuntu-latest-arm64-16x runs-on: ${{ matrix.config.runner }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set env run: | @@ -36,25 +41,25 @@ jobs: - name: Extract metadata (tags, labels) for Docker images id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: ${{ env.REGISTRY_IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.FLASHBOTS_DOCKERHUB_USERNAME }} password: ${{ secrets.FLASHBOTS_DOCKERHUB_TOKEN }} - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -70,7 +75,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: digests-${{ env.PLATFORM_PAIR }} path: /tmp/digests/* @@ -82,25 +87,30 @@ jobs: needs: - build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.FLASHBOTS_DOCKERHUB_USERNAME }} password: ${{ secrets.FLASHBOTS_DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY_IMAGE }} tags: | diff --git a/.github/workflows/kurtosis_integration.yml b/.github/workflows/kurtosis_integration.yml index 10da688a..6711bffe 100644 --- a/.github/workflows/kurtosis_integration.yml +++ b/.github/workflows/kurtosis_integration.yml @@ -19,22 +19,27 @@ jobs: runs-on: warp-ubuntu-latest-x64-16x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: toolchain: stable profile: minimal - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 with: version: nightly - name: Install Just - uses: taiki-e/install-action@just + uses: taiki-e/install-action@faec66f5449ec96c1878d9963e0b2bc834c27f3b # just - name: Setup Kurtosis shell: bash @@ -47,7 +52,7 @@ jobs: echo "$(dirname $(which kurtosis))" >> $GITHUB_PATH - name: Setup K8s - uses: medyagh/setup-minikube@latest + uses: medyagh/setup-minikube@cea33675329b799adccc9526aa5daccc26cd5052 # latest - name: Get Kubeconfig id: kubeconfig @@ -81,7 +86,7 @@ jobs: kurtosis cluster set minikube - name: Run kurtosis gateway in background - uses: JarvusInnovations/background-action@v1 + uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1.0.7 with: run: | kurtosis gateway diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 8bfc3186..9ddef332 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,11 +11,16 @@ jobs: runs-on: warp-ubuntu-latest-x64-16x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: toolchain: stable override: true @@ -31,5 +36,5 @@ jobs: run: cargo fmt --all -- --check - name: Deny - uses: EmbarkStudios/cargo-deny-action@v2 + uses: EmbarkStudios/cargo-deny-action@30f817c6f72275c6d54dc744fbca09ebc958599f # v2.0.12 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3985e478..f3750298 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,8 +24,13 @@ jobs: runner: warp-ubuntu-latest-arm64-16x runs-on: ${{ matrix.config.runner }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set env run: | @@ -40,25 +45,25 @@ jobs: - name: Extract metadata (tags, labels) for Docker images id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: ${{ env.REGISTRY_IMAGE }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.FLASHBOTS_DOCKERHUB_USERNAME }} password: ${{ secrets.FLASHBOTS_DOCKERHUB_TOKEN }} - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -76,7 +81,7 @@ jobs: touch "/tmp/digests/${digest#sha256:}" - name: Upload digest - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: digests-${{ env.PLATFORM_PAIR }} path: /tmp/digests/* @@ -88,25 +93,30 @@ jobs: needs: - release steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: username: ${{ secrets.FLASHBOTS_DOCKERHUB_USERNAME }} password: ${{ secrets.FLASHBOTS_DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY_IMAGE }} tags: | @@ -128,12 +138,17 @@ jobs: github-release: runs-on: warp-ubuntu-latest-x64-16x steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout sources - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 32996fec..e1c48e25 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,12 +13,17 @@ jobs: name: Run tests runs-on: warp-ubuntu-latest-x64-16x steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: toolchain: stable - name: Install cargo-nextest - uses: taiki-e/install-action@nextest + uses: taiki-e/install-action@ee97d2538f5fb3d2572b24f0dd624462d84176b4 # nextest - name: Build the binary run: cargo build diff --git a/.github/workflows/websocket-proxy-ci.yaml b/.github/workflows/websocket-proxy-ci.yaml index f227a9ee..b0a36df6 100644 --- a/.github/workflows/websocket-proxy-ci.yaml +++ b/.github/workflows/websocket-proxy-ci.yaml @@ -16,8 +16,13 @@ jobs: run: working-directory: "./crates/websocket-proxy" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Install Redis for tests run: | @@ -25,14 +30,14 @@ jobs: sudo apt-get install -y redis - name: Set up Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable with: toolchain: stable override: true components: rustfmt - name: Cache dependencies - uses: Swatinem/rust-cache@v2 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8 - name: Run build run: cargo build @@ -53,13 +58,18 @@ jobs: name: Docker Build runs-on: warp-ubuntu-latest-x64-16x steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . push: false