From bd3b7058f76353c03adb481d94ed2e72d844f608 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Wed, 27 Mar 2024 09:54:43 +0100 Subject: [PATCH] security: add permissions block to workflows (#38047) (cherry picked from commit f502623a2fc3ca65fcb146fb0827d0242a1a0a15) # Conflicts: # .github/workflows/platform-ingest-project-board.yml # .github/workflows/post-dependabot.yml --- .github/workflows/check-audtibeat.yml | 3 + .github/workflows/check-dev-tools.yml | 3 + .github/workflows/check-filebeat.yml | 3 + .github/workflows/check-heartbeat.yml | 3 + .github/workflows/check-libbeat.yml | 3 + .github/workflows/check-metricbeat.yml | 3 + .github/workflows/check-packetbeat.yml | 3 + .github/workflows/check-winlogbeat.yml | 3 + .github/workflows/check-xpack-auditbeat.yml | 3 + .../workflows/check-xpack-dockerlogbeat.yml | 3 + .github/workflows/check-xpack-filebeat.yml | 3 + .../workflows/check-xpack-functionbeat.yml | 3 + .github/workflows/check-xpack-heartbeat.yml | 3 + .github/workflows/check-xpack-libbeat.yml | 3 + .github/workflows/check-xpack-metricbeat.yml | 3 + .github/workflows/check-xpack-osquerybeat.yml | 3 + .github/workflows/check-xpack-packetbeat.yml | 3 + .github/workflows/check-xpack-winlogbeat.yml | 3 + .github/workflows/macos-auditbeat.yml | 3 + .github/workflows/macos-filebeat.yml | 3 + .github/workflows/macos-heartbeat.yml | 3 + .github/workflows/macos-metricbeat.yml | 3 + .github/workflows/macos-packetbeat.yml | 3 + .github/workflows/macos-xpack-auditbeat.yml | 3 + .github/workflows/macos-xpack-filebeat.yml | 3 + .../workflows/macos-xpack-functionbeat.yml | 3 + .github/workflows/macos-xpack-heartbeat.yml | 3 + .github/workflows/macos-xpack-metricbeat.yml | 3 + .github/workflows/macos-xpack-osquerybeat.yml | 3 + .github/workflows/macos-xpack-packetbeat.yml | 3 + .../platform-ingest-project-board.yml | 59 +++++++++++++++++++ .github/workflows/post-dependabot.yml | 43 ++++++++++++++ 32 files changed, 192 insertions(+) create mode 100644 .github/workflows/platform-ingest-project-board.yml create mode 100644 .github/workflows/post-dependabot.yml diff --git a/.github/workflows/check-audtibeat.yml b/.github/workflows/check-audtibeat.yml index 3941fcdd492f..bbc962426877 100644 --- a/.github/workflows/check-audtibeat.yml +++ b/.github/workflows/check-audtibeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'auditbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-dev-tools.yml b/.github/workflows/check-dev-tools.yml index 4f0ba423466a..6fa58fc319de 100644 --- a/.github/workflows/check-dev-tools.yml +++ b/.github/workflows/check-dev-tools.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'dev-tools' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-filebeat.yml b/.github/workflows/check-filebeat.yml index 0c08232e8af0..930a04ec5e56 100644 --- a/.github/workflows/check-filebeat.yml +++ b/.github/workflows/check-filebeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'filebeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-heartbeat.yml b/.github/workflows/check-heartbeat.yml index c975398fc2b5..ac7ad5725f5b 100644 --- a/.github/workflows/check-heartbeat.yml +++ b/.github/workflows/check-heartbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'heartbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-libbeat.yml b/.github/workflows/check-libbeat.yml index 38b04932a86b..27e03701b859 100644 --- a/.github/workflows/check-libbeat.yml +++ b/.github/workflows/check-libbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'libbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-metricbeat.yml b/.github/workflows/check-metricbeat.yml index 452f0dbedc1c..709fa3a44bdd 100644 --- a/.github/workflows/check-metricbeat.yml +++ b/.github/workflows/check-metricbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'metricbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-packetbeat.yml b/.github/workflows/check-packetbeat.yml index b084e4d962e2..ba05b6c0160b 100644 --- a/.github/workflows/check-packetbeat.yml +++ b/.github/workflows/check-packetbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'packetbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-winlogbeat.yml b/.github/workflows/check-winlogbeat.yml index e048d585fa8b..a79c4bef209a 100644 --- a/.github/workflows/check-winlogbeat.yml +++ b/.github/workflows/check-winlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'winlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-auditbeat.yml b/.github/workflows/check-xpack-auditbeat.yml index d0bf638796b6..a4e6ae81563a 100644 --- a/.github/workflows/check-xpack-auditbeat.yml +++ b/.github/workflows/check-xpack-auditbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/auditbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-dockerlogbeat.yml b/.github/workflows/check-xpack-dockerlogbeat.yml index 44760e6c5e62..258e5c6c3fa0 100644 --- a/.github/workflows/check-xpack-dockerlogbeat.yml +++ b/.github/workflows/check-xpack-dockerlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/dockerlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-filebeat.yml b/.github/workflows/check-xpack-filebeat.yml index 73b5b21d323a..0547fafb7e6c 100644 --- a/.github/workflows/check-xpack-filebeat.yml +++ b/.github/workflows/check-xpack-filebeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/filebeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-functionbeat.yml b/.github/workflows/check-xpack-functionbeat.yml index 089828088d62..8ae83acd36fd 100644 --- a/.github/workflows/check-xpack-functionbeat.yml +++ b/.github/workflows/check-xpack-functionbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/functionbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-heartbeat.yml b/.github/workflows/check-xpack-heartbeat.yml index c9b77cbebb38..3d6be31ef8be 100644 --- a/.github/workflows/check-xpack-heartbeat.yml +++ b/.github/workflows/check-xpack-heartbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/heartbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-libbeat.yml b/.github/workflows/check-xpack-libbeat.yml index 11359887ef04..28da0b1eb35c 100644 --- a/.github/workflows/check-xpack-libbeat.yml +++ b/.github/workflows/check-xpack-libbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/libbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-metricbeat.yml b/.github/workflows/check-xpack-metricbeat.yml index f61967a5eec3..8f107794bce1 100644 --- a/.github/workflows/check-xpack-metricbeat.yml +++ b/.github/workflows/check-xpack-metricbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/metricbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-osquerybeat.yml b/.github/workflows/check-xpack-osquerybeat.yml index e5c87bcf5bd6..73ba20e5a8c5 100644 --- a/.github/workflows/check-xpack-osquerybeat.yml +++ b/.github/workflows/check-xpack-osquerybeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/osquerybeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-packetbeat.yml b/.github/workflows/check-xpack-packetbeat.yml index 3840d5598aa2..e03d46d55e2a 100644 --- a/.github/workflows/check-xpack-packetbeat.yml +++ b/.github/workflows/check-xpack-packetbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/packetbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-winlogbeat.yml b/.github/workflows/check-xpack-winlogbeat.yml index 8656675c3a14..2f3571c7d74e 100644 --- a/.github/workflows/check-xpack-winlogbeat.yml +++ b/.github/workflows/check-xpack-winlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/winlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/macos-auditbeat.yml b/.github/workflows/macos-auditbeat.yml index 994ca6dbebc0..39c97c8b7193 100644 --- a/.github/workflows/macos-auditbeat.yml +++ b/.github/workflows/macos-auditbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'auditbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-filebeat.yml b/.github/workflows/macos-filebeat.yml index 6b43f5bb6c66..513b87be316c 100644 --- a/.github/workflows/macos-filebeat.yml +++ b/.github/workflows/macos-filebeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'filebeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-heartbeat.yml b/.github/workflows/macos-heartbeat.yml index c8e346a44026..b707e9c7d429 100644 --- a/.github/workflows/macos-heartbeat.yml +++ b/.github/workflows/macos-heartbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'heartbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-metricbeat.yml b/.github/workflows/macos-metricbeat.yml index 59a225e16015..0f37cfb937b2 100644 --- a/.github/workflows/macos-metricbeat.yml +++ b/.github/workflows/macos-metricbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'metricbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-packetbeat.yml b/.github/workflows/macos-packetbeat.yml index be5dc7377e6a..bebbc5eed90e 100644 --- a/.github/workflows/macos-packetbeat.yml +++ b/.github/workflows/macos-packetbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'packetbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-auditbeat.yml b/.github/workflows/macos-xpack-auditbeat.yml index 3adcb46f6da0..e0484908a9e2 100644 --- a/.github/workflows/macos-xpack-auditbeat.yml +++ b/.github/workflows/macos-xpack-auditbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/auditbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-filebeat.yml b/.github/workflows/macos-xpack-filebeat.yml index 936c0913fa46..93950c24b572 100644 --- a/.github/workflows/macos-xpack-filebeat.yml +++ b/.github/workflows/macos-xpack-filebeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/filebeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-functionbeat.yml b/.github/workflows/macos-xpack-functionbeat.yml index 26a3e311c922..430d8834bb4a 100644 --- a/.github/workflows/macos-xpack-functionbeat.yml +++ b/.github/workflows/macos-xpack-functionbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/functionbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-heartbeat.yml b/.github/workflows/macos-xpack-heartbeat.yml index 502d10c1a3ea..0a5ce77117d9 100644 --- a/.github/workflows/macos-xpack-heartbeat.yml +++ b/.github/workflows/macos-xpack-heartbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/heartbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-metricbeat.yml b/.github/workflows/macos-xpack-metricbeat.yml index 38f40b051bcf..2d2531cd2866 100644 --- a/.github/workflows/macos-xpack-metricbeat.yml +++ b/.github/workflows/macos-xpack-metricbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/metricbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-osquerybeat.yml b/.github/workflows/macos-xpack-osquerybeat.yml index 1b3be3e31484..7678df4b2f2d 100644 --- a/.github/workflows/macos-xpack-osquerybeat.yml +++ b/.github/workflows/macos-xpack-osquerybeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/osquerybeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-packetbeat.yml b/.github/workflows/macos-xpack-packetbeat.yml index 90d9f77e2691..8167486eb0c9 100644 --- a/.github/workflows/macos-xpack-packetbeat.yml +++ b/.github/workflows/macos-xpack-packetbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/packetbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/platform-ingest-project-board.yml b/.github/workflows/platform-ingest-project-board.yml new file mode 100644 index 000000000000..10a738c750c7 --- /dev/null +++ b/.github/workflows/platform-ingest-project-board.yml @@ -0,0 +1,59 @@ +name: Add issue to Ingest project + +on: + issues: + types: + - labeled +env: + INGEST_PROJECT_ID: 'PVT_kwDOAGc3Zs4AEzn4' + + # GitHub labels for each team/area + DATA_PLANE_LABEL: 'Team:Elastic-Agent-Data-Plane' + CONTROL_PLANE_LABEL: 'Team:Elastic-Agent-Control-Plane' + ELASTIC_AGENT_LABEL: 'Team:Elastic-Agent' + + # ID values for the Area property + its options + AREA_FIELD_ID: 'PVTSSF_lADOAGc3Zs4AEzn4zgEgZSo' + ELASTIC_AGENT_OPTION_ID: 'c1e1a30a' + +permissions: + contents: read + +jobs: + add_to_ingest_project: + runs-on: ubuntu-latest + steps: + - uses: octokit/graphql-action@v2.x + id: add_to_project + if: ${{ github.event.label.name == env.DATA_PLANE_LABEL || github.event.label.name == env.CONTROL_PLANE_LABEL || github.event.label.name == env.ECOSYSTEM_LABEL || github.event.label.name == env.FLEET_LABEL }} + with: + query: | + # Variables have to be snake cased because of https://github.com/octokit/graphql-action/issues/164 + mutation AddToIngestProject($project_id: ID!, $content_id: ID!) { + addProjectV2ItemById(input: { projectId: $project_id, contentId: $content_id }) { + item { + id + } + } + } + project_id: ${{ env.INGEST_PROJECT_ID }} + content_id: ${{ github.event.issue.node_id }} + env: + GITHUB_TOKEN: ${{ secrets.PROJECT_ASSIGNER_TOKEN }} + - uses: octokit/graphql-action@v2.x + id: set_elastic_agent_area + if: github.event.label.name == env.DATA_PLANE_LABEL || github.event.label.name == env.CONTROL_PLANE_LABEL || github.event.label.name == env.ELASTIC_AGENT_LABEL + with: + query: | + mutation updateIngestArea($item_id: ID!, $project_id: ID!, $area_field_id: ID!, $area_id: String) { + updateProjectV2ItemFieldValue( + input: { itemId: $item_id, projectId: $project_id, fieldId: $area_field_id, value: { singleSelectOptionId: $area_id } }) { + clientMutationId + } + } + item_id: ${{ fromJSON(steps.add_to_project.outputs.data).addProjectV2ItemById.item.id }} + project_id: ${{ env.INGEST_PROJECT_ID }} + area_field_id: ${{ env.AREA_FIELD_ID }} + area_id: ${{ env.ELASTIC_AGENT_OPTION_ID }} + env: + GITHUB_TOKEN: ${{ secrets.PROJECT_ASSIGNER_TOKEN }} diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml new file mode 100644 index 000000000000..59d84b9bec36 --- /dev/null +++ b/.github/workflows/post-dependabot.yml @@ -0,0 +1,43 @@ +# Follow-on actions relating to dependabot PRs. In elastic/beats, any changes to +# dependencies contained in go.mod requires the change to be reflected in the +# NOTICE.txt file. When dependabot creates a branch for a go_modules change this +# will update the NOTICE.txt file for that change. +name: post-dependabot + +on: + push: + branches: + - 'dependabot/go_modules/**' + +permissions: + contents: read + +jobs: + update-notice: + permissions: + # Allow job to write to the branch. + contents: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-go@v4 + with: + go-version-file: .go-version + + - name: update NOTICE.txt + run: make notice + + - name: check for modified NOTICE.txt + id: notice-check + run: echo "modified=$(if git status --porcelain --untracked-files=no | grep -q -E ' NOTICE.txt$'; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT + + - name: commit NOTICE.txt + if: steps.notice-check.outputs.modified == 'true' + run: | + git config --global user.name 'dependabot[bot]' + git config --global user.email 'dependabot[bot]@users.noreply.github.com' + git add NOTICE.txt + git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} + git commit -m "Update NOTICE.txt" + git push