From bb68e89e53e06bbe9f1840fa7472b95d0fd4ca87 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 13 Sep 2024 10:22:51 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 66 ++++++++++++++++ .github/workflows/celo-monorepo.yml | 58 ++++++++++---- .github/workflows/codeql.yml | 78 +++++++++++++++++++ .github/workflows/containers.yaml | 9 ++- .github/workflows/dependency-review.yaml | 9 ++- .github/workflows/protocol-devchain-anvil.yml | 24 ++++-- .github/workflows/protocol-devchain.yml | 14 +++- .github/workflows/protocol_tests.yml | 13 +++- .../publish-contracts-abi-release.yml | 14 +++- .github/workflows/scorecard.yml | 7 +- .github/workflows/stale.yml | 10 ++- .pre-commit-config.yaml | 19 +++++ dockerfiles/all-monorepo/Dockerfile | 2 +- dockerfiles/celotool/Dockerfile | 2 +- dockerfiles/cloudbuild/Dockerfile | 2 +- dockerfiles/metadata-crawler/Dockerfile | 2 +- 16 files changed, 287 insertions(+), 42 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..7b9ac0026bd --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,66 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: /dockerfiles/all-monorepo + schedule: + interval: daily + + - package-ecosystem: docker + directory: /dockerfiles/celotool + schedule: + interval: daily + + - package-ecosystem: docker + directory: /dockerfiles/cloudbuild + schedule: + interval: daily + + - package-ecosystem: docker + directory: /dockerfiles/metadata-crawler + schedule: + interval: daily + + - package-ecosystem: npm + directory: / + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/celotool + schedule: + interval: daily + + - package-ecosystem: pip + directory: /packages/celotool + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/env-tests + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/metadata-crawler + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/protocol/abis + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/protocol/contracts + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/protocol + schedule: + interval: daily diff --git a/.github/workflows/celo-monorepo.yml b/.github/workflows/celo-monorepo.yml index 08f724242f2..8adb2c80d20 100644 --- a/.github/workflows/celo-monorepo.yml +++ b/.github/workflows/celo-monorepo.yml @@ -52,11 +52,16 @@ jobs: runs-on: ['self-hosted', 'monorepo-node18'] timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Restore node cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache_node with: # We need to cache all the artifacts generated by yarn install+build @@ -96,7 +101,7 @@ jobs: # Get workdir local changes and fail if there are any change - name: Verify Changed files id: verify-changed-files - uses: tj-actions/verify-changed-files@v20 + uses: tj-actions/verify-changed-files@6ed7632824d235029086612d4330d659005af687 # v20.0.1 with: fail-if-changed: 'true' fail-message: 'Files changed during build. Please build locally and commit the changes.' @@ -115,7 +120,7 @@ jobs: # We use cache to share the build artifacts between jobs (gh artifacts are too slow...) # For more context check https://github.com/actions/upload-artifact/issues/199 - name: Restore build artifacts cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 id: cache_build_artifacts with: # We need to cache all the artifacts generated by yarn install+build @@ -127,7 +132,7 @@ jobs: code-${{ github.sha }} - name: Detect files changed in PR (or commit), and expose as output id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@20576b4b9ed46d41e2d45a2256e5e2316dde6834 # v43.0.1 with: # Using comma as separator to be able to easily match full paths (using ,) separator: ',' @@ -141,7 +146,12 @@ jobs: timeout-minutes: 30 needs: install-dependencies steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Sync workspace @@ -163,7 +173,12 @@ jobs: contains(needs.install-dependencies.outputs.all_modified_files, ',yarn.lock') || false steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 submodules: recursive @@ -172,7 +187,7 @@ jobs: with: artifacts_to_cache: ${{ needs.install-dependencies.outputs.artifacts_to_cache }} - name: Download protocol devchain artifact - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: workflow: protocol-devchain.yml name: devchain-${{ env.RELEASE_TAG }} @@ -223,7 +238,12 @@ jobs: command: | yarn --cwd packages/protocol test:scripts steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Sync workspace @@ -232,7 +252,7 @@ jobs: rebuild-package: 'true' artifacts_to_cache: ${{ needs.install-dependencies.outputs.artifacts_to_cache }} - name: Execute matrix command for test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 40 max_attempts: 3 @@ -309,7 +329,12 @@ jobs: ./ci_test_validator_order.sh checkout ${CELO_BLOCKCHAIN_BRANCH_TO_TEST} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Sync workspace @@ -317,7 +342,7 @@ jobs: with: artifacts_to_cache: ${{ needs.install-dependencies.outputs.artifacts_to_cache }} - name: Execute matrix command for test - uses: nick-fields/retry@v3 + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 with: timeout_minutes: 30 max_attempts: 3 @@ -366,14 +391,19 @@ jobs: cd packages/protocol ./specs/scripts/reserve.sh steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Sync workspace uses: ./.github/actions/sync-workspace with: artifacts_to_cache: ${{ needs.install-dependencies.outputs.artifacts_to_cache }} - - uses: actions/setup-java@v4 + - uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 with: distribution: 'zulu' java-version: '11' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..84e597bacca --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "ruby", "typescript"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/containers.yaml b/.github/workflows/containers.yaml index 9d3b3819140..258baa49bd7 100644 --- a/.github/workflows/containers.yaml +++ b/.github/workflows/containers.yaml @@ -22,10 +22,15 @@ jobs: # Adding a initial comma so ',' matches also for the first file all_modified_files: ',${{ steps.changed-files.outputs.all_modified_files }}' steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Detect files changed in PR (or commit), and expose as output id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@20576b4b9ed46d41e2d45a2256e5e2316dde6834 # v43.0.1 with: # Using comma as separator to be able to easily match full paths (using ,) separator: ',' diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index b9d6d20fff4..ec086fec033 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -8,7 +8,12 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 diff --git a/.github/workflows/protocol-devchain-anvil.yml b/.github/workflows/protocol-devchain-anvil.yml index 3fa4e8f4d30..a826819836b 100644 --- a/.github/workflows/protocol-devchain-anvil.yml +++ b/.github/workflows/protocol-devchain-anvil.yml @@ -24,6 +24,9 @@ env: SUPPORTED_FOUNDRY_VERSION: ${{ vars.SUPPORTED_FOUNDRY_VERSION }} ANVIL_PORT: 8546 +permissions: + contents: read + jobs: build: defaults: @@ -36,7 +39,12 @@ jobs: pull-requests: read id-token: write steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Fail if there are test with wrong extension @@ -48,13 +56,13 @@ jobs: fi - name: Foundry cache id: foundry-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./cache key: ${{ runner.os }}-foundry-cache-${{ env.FOUNDRY_CACHE_KEY }} - name: Foundry out id: foundry-out - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./out key: ${{ runner.os }}-foundry-out-${{ env.FOUNDRY_CACHE_KEY }} @@ -65,7 +73,7 @@ jobs: - name: Get Pull Request data id: get_pr_data - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | const result = ( @@ -91,7 +99,7 @@ jobs: echo "Pull Request Number: ${{ env.PR_NUMBER }}" - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@362aa1be8f31305295acb1032271acd5e9b99312 # v1.1.1 with: version: ${{ env.SUPPORTED_FOUNDRY_VERSION }} @@ -104,13 +112,13 @@ jobs: - name: Akeyless Get Secrets id: get_auth_token - uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest + uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest@sha256:87467fdd034c6897a32ff1478fb9368a8aacb0d49bbeb8cac87e3cdbcf0a88f3 with: api-url: https://api.gateway.akeyless.celo-networks-dev.org access-id: p-kf9vjzruht6l static-secrets: '{"/static-secrets/NPM/npm-publish-token":"NPM_TOKEN"}' - - uses: actions/setup-node@v4 + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: '18.x' registry-url: 'https://registry.npmjs.org' @@ -160,7 +168,7 @@ jobs: RELEASE_VERSION: ${{ env.RELEASE_VERSION }} - name: Upload devchain as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: devchain-${{ env.PR_NUMBER }}-${{ steps.date.outputs.date }} path: packages/protocol/.tmp diff --git a/.github/workflows/protocol-devchain.yml b/.github/workflows/protocol-devchain.yml index 8e5b269c18f..9776b356a8e 100644 --- a/.github/workflows/protocol-devchain.yml +++ b/.github/workflows/protocol-devchain.yml @@ -7,6 +7,9 @@ on: - cron: 0 0 1 * * workflow_dispatch: +permissions: + contents: read + jobs: generate-protocol-devchain: name: Generate protocol devchain used in celo-monorepo.yml workflow @@ -21,13 +24,18 @@ jobs: - tag: core-contracts.v11 node-version: 18 steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ matrix.tag }} fetch-depth: 0 submodules: recursive - name: Setup Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: ${{ matrix.node-version }} - name: Install yarn dependencies @@ -45,7 +53,7 @@ jobs: yarn --cwd packages/protocol devchain generate-tar devchain/devchain.tar.gz --release_gold_contracts $GRANTS_FILE mv packages/protocol/build/contracts* devchain/ - name: Upload devchain as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: devchain-${{ matrix.tag }} path: devchain diff --git a/.github/workflows/protocol_tests.yml b/.github/workflows/protocol_tests.yml index d7bb9d5b9e5..90fd426d2e5 100644 --- a/.github/workflows/protocol_tests.yml +++ b/.github/workflows/protocol_tests.yml @@ -21,11 +21,16 @@ jobs: name: Run tests runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Set Swap Space uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c with: swap-size-gb: 32 - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Fail if there are test with wrong extension @@ -38,19 +43,19 @@ jobs: fi - name: Foundry cache id: foundry-cache - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./cache key: ${{ runner.os }}-foundry-cache-${{ env.FOUNDRY_CACHE_KEY }} - name: Foundry out id: foundry-out - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: path: ./out key: ${{ runner.os }}-foundry-out-${{ env.FOUNDRY_CACHE_KEY }} - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@362aa1be8f31305295acb1032271acd5e9b99312 # v1.1.1 with: version: "nightly-f625d0fa7c51e65b4bf1e8f7931cd1c6e2e285e9" diff --git a/.github/workflows/publish-contracts-abi-release.yml b/.github/workflows/publish-contracts-abi-release.yml index e7f4e7158a6..f8eaafed800 100644 --- a/.github/workflows/publish-contracts-abi-release.yml +++ b/.github/workflows/publish-contracts-abi-release.yml @@ -16,6 +16,9 @@ on: description: 'NPM TAG e.g. alpha, pre-merge (default: canary) ' required: true type: string +permissions: + contents: read + jobs: publish: runs-on: ['self-hosted', 'org', 'npm-publish'] @@ -25,19 +28,24 @@ jobs: pull-requests: write repository-projects: write steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: submodules: recursive - name: Akeyless Get Secrets id: get_auth_token - uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest + uses: docker://us-west1-docker.pkg.dev/devopsre/akeyless-public/akeyless-action:latest@sha256:87467fdd034c6897a32ff1478fb9368a8aacb0d49bbeb8cac87e3cdbcf0a88f3 with: api-url: https://api.gateway.akeyless.celo-networks-dev.org access-id: p-kf9vjzruht6l static-secrets: '{"/static-secrets/NPM/npm-publish-token":"NPM_TOKEN"}' # Setup .npmrc file to publish to npm - - uses: actions/setup-node@v4 + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: '18.x' registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index cbbb304672c..2a2cd9ef982 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -68,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index c59032a7f25..a12bc4f1f79 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '40 14 * * *' +permissions: + contents: read + jobs: stale: @@ -18,7 +21,12 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v9 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This issue is stale and will be closed in 30 days without activity' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000000..22291f2d4b3 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,19 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: RuboCop + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/dockerfiles/all-monorepo/Dockerfile b/dockerfiles/all-monorepo/Dockerfile index 1b6a53ff1a2..5968281fd0f 100644 --- a/dockerfiles/all-monorepo/Dockerfile +++ b/dockerfiles/all-monorepo/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18 +FROM node:18@sha256:ca07c02d13baf021ff5aadb3b48bcd1fcdd454826266ac313ce858676e8c1548 LABEL org.opencontainers.image.authors="devops@clabs.co" WORKDIR /celo-monorepo diff --git a/dockerfiles/celotool/Dockerfile b/dockerfiles/celotool/Dockerfile index 9d731f74d8d..75ebde28acb 100644 --- a/dockerfiles/celotool/Dockerfile +++ b/dockerfiles/celotool/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18 +FROM node:18@sha256:ca07c02d13baf021ff5aadb3b48bcd1fcdd454826266ac313ce858676e8c1548 LABEL org.opencontainers.image.authors="devops@clabs.co" WORKDIR /celo-monorepo diff --git a/dockerfiles/cloudbuild/Dockerfile b/dockerfiles/cloudbuild/Dockerfile index 92a638ded1f..c27cfd89a77 100644 --- a/dockerfiles/cloudbuild/Dockerfile +++ b/dockerfiles/cloudbuild/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12 +FROM node:12@sha256:01627afeb110b3054ba4a1405541ca095c8bfca1cb6f2be9479c767a2711879e RUN apt-get update -y RUN apt-get install lsb-release libudev-dev libusb-dev -y --no-install-recommends apt-utils diff --git a/dockerfiles/metadata-crawler/Dockerfile b/dockerfiles/metadata-crawler/Dockerfile index 4df83640847..e1d131347aa 100644 --- a/dockerfiles/metadata-crawler/Dockerfile +++ b/dockerfiles/metadata-crawler/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18 +FROM node:18@sha256:ca07c02d13baf021ff5aadb3b48bcd1fcdd454826266ac313ce858676e8c1548 LABEL org.opencontainers.image.authors="devops@clabs.co" WORKDIR /celo-monorepo