diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index d6044d22d80f5..bfd00cb443cf3 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -19,7 +19,12 @@ jobs: # Prevent sudden announcement of a new advisory from failing ci: continue-on-error: true steps: - - uses: actions/checkout@v4.1.7 - - uses: rustsec/audit-check@v2.0.0 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/beta-test.yml b/.github/workflows/beta-test.yml index 7770c6a83c46c..1ae703099af47 100644 --- a/.github/workflows/beta-test.yml +++ b/.github/workflows/beta-test.yml @@ -34,7 +34,12 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - run: rustup update beta diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e754160e40c..543a80cb5250b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,10 +34,15 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4.1.7 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 - name: cargo fmt run: cargo fmt --all -- --check @@ -62,10 +67,15 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4.1.7 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 - name: Tests run: cargo test --workspace --profile ci --exclude nu_plugin_* @@ -91,10 +101,15 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4.1.7 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 - name: Install Nushell run: cargo install --path . --locked --force @@ -106,7 +121,7 @@ jobs: run: nu .github/workflows/check-msrv.nu - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.10" @@ -142,10 +157,15 @@ jobs: runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v4.1.7 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 - name: Clippy run: cargo clippy --package nu_plugin_* -- $CLIPPY_OPTIONS @@ -183,10 +203,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4.1.7 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 - name: Add wasm32-unknown-unknown target run: rustup target add wasm32-unknown-unknown diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 96b84c6a4734d..8ff185e308e95 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -13,7 +13,12 @@ jobs: runs-on: ubuntu-latest if: github.repository_owner == 'nushell' steps: - - uses: actions/labeler@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" sync-labels: true \ No newline at end of file diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 18eef4213d284..cb0d33598a68d 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -14,15 +14,20 @@ jobs: runs-on: ubuntu-latest name: Milestone Update steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Set Milestone for PR - uses: hustcer/milestone-action@main + uses: hustcer/milestone-action@ebed8d5daafd855a600d7e665c1b130f06d24130 # main if: github.event.pull_request.merged == true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Bind milestone to closed issue that has a merged PR fix - name: Set Milestone for Issue - uses: hustcer/milestone-action@v2 + uses: hustcer/milestone-action@a32390684f8f7ccbd24a6ec928da4431dbf1e309 # v2.12 if: github.event.issue.state == 'closed' with: action: bind-issue diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 1e161f83fe501..9eb8501db7f93 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -27,8 +27,13 @@ jobs: # This job is required by the release job, so we should make it run both from Nushell repo and nightly repo # if: github.repository == 'nushell/nightly' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 if: github.repository == 'nushell/nightly' with: ref: main @@ -37,7 +42,7 @@ jobs: token: ${{ secrets.WORKFLOW_TOKEN }} - name: Setup Nushell - uses: hustcer/setup-nu@v3 + uses: hustcer/setup-nu@92c296ba1ba2ba04cc948ab64ddefe192dc13f0c # v3.23 if: github.repository == 'nushell/nightly' with: version: 0.103.0 @@ -122,7 +127,12 @@ jobs: runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: main fetch-depth: 0 @@ -132,13 +142,13 @@ jobs: echo "targets = ['${{matrix.target}}']" >> rust-toolchain.toml - name: Setup Rust toolchain and cache - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 # WARN: Keep the rustflags to prevent from the winget submission error: `CAQuietExec: Error 0xc0000135` with: rustflags: '' - name: Setup Nushell - uses: hustcer/setup-nu@v3 + uses: hustcer/setup-nu@92c296ba1ba2ba04cc948ab64ddefe192dc13f0c # v3.23 with: version: 0.103.0 @@ -153,7 +163,7 @@ jobs: - name: Create an Issue for Release Failure if: ${{ failure() }} - uses: JasonEtco/create-an-issue@v2.9.2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -171,7 +181,7 @@ jobs: # REF: https://github.com/marketplace/actions/gh-release # Create a release only in nushell/nightly repo - name: Publish Archive - uses: softprops/action-gh-release@v2.0.9 + uses: step-security/action-gh-release@dc29ef0d1f6f9a032a97ec797d9cb7ea788dde41 # v2.6.1 if: ${{ startsWith(github.repository, 'nushell/nightly') }} with: prerelease: true @@ -188,15 +198,20 @@ jobs: runs-on: ubuntu-latest steps: # Sleep for 30 minutes, waiting for the release to be published + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Waiting for Release run: sleep 1800 - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: main - name: Setup Nushell - uses: hustcer/setup-nu@v3 + uses: hustcer/setup-nu@92c296ba1ba2ba04cc948ab64ddefe192dc13f0c # v3.23 with: version: 0.103.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a192a38a24bb2..fbf51bb29646c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,21 +73,26 @@ jobs: runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Update Rust Toolchain Target run: | echo "targets = ['${{matrix.target}}']" >> rust-toolchain.toml - name: Setup Rust toolchain - uses: actions-rust-lang/setup-rust-toolchain@v1.11.0 + uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0 # WARN: Keep the rustflags to prevent from the winget submission error: `CAQuietExec: Error 0xc0000135` with: cache: false rustflags: '' - name: Setup Nushell - uses: hustcer/setup-nu@v3 + uses: hustcer/setup-nu@92c296ba1ba2ba04cc948ab64ddefe192dc13f0c # v3.23 with: version: 0.103.0 @@ -103,7 +108,7 @@ jobs: # WARN: Don't upgrade this action due to the release per asset issue. # See: https://github.com/softprops/action-gh-release/issues/445 - name: Publish Archive - uses: softprops/action-gh-release@v2.0.5 + uses: step-security/action-gh-release@dc29ef0d1f6f9a032a97ec797d9cb7ea788dde41 # v2.6.1 if: ${{ startsWith(github.ref, 'refs/tags/') }} with: draft: true @@ -116,6 +121,11 @@ jobs: name: Create Sha256sum runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Download Release Archives env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -127,7 +137,7 @@ jobs: - name: Create Checksums run: cd release && shasum -a 256 * > ../SHA256SUMS - name: Publish Checksums - uses: softprops/action-gh-release@v2.0.5 + uses: step-security/action-gh-release@dc29ef0d1f6f9a032a97ec797d9cb7ea788dde41 # v2.6.1 with: draft: true files: SHA256SUMS diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml index eb57d8c471c12..1390832189280 100644 --- a/.github/workflows/typos.yml +++ b/.github/workflows/typos.yml @@ -6,8 +6,13 @@ jobs: name: Spell Check with Typos runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout Actions Repository - uses: actions/checkout@v4.1.7 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check spelling - uses: crate-ci/typos@v1.31.1 + uses: crate-ci/typos@b1a1ef3893ff35ade0cfa71523852a49bfd05d19 # v1.31.1 diff --git a/.github/workflows/winget-submission.yml b/.github/workflows/winget-submission.yml index 3470fed4e2cc2..f58f449511fbb 100644 --- a/.github/workflows/winget-submission.yml +++ b/.github/workflows/winget-submission.yml @@ -16,8 +16,13 @@ jobs: name: Publish winget package runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Submit package to Windows Package Manager Community Repository - uses: vedantmgoyal2009/winget-releaser@v2 + uses: vedantmgoyal2009/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2 with: identifier: Nushell.Nushell # Exclude all `*-msvc-full.msi` full release files,