p2pool-starter-stack.github.io/.github/workflows/security.yml at main · p2pool-starter-stack/p2pool-starter-stack.github.io · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Security

# Supply-chain & secrets gates (#11):
#   - gitleaks: scan the full git history for committed secrets (tokens, credentials) on every
#     push and PR.
#   - zizmor: static-audit the GitHub Actions workflows themselves (template injection, over-broad
#     GITHUB_TOKEN, unpinned actions, credential persistence) AND cross-reference the actions we
#     pin against the GitHub Advisory Database (online audit).
# Dependabot (github-actions) lives in .github/dependabot.yml; the matching gitleaks pre-commit
# hook lives in .pre-commit-config.yaml.

on:
  push:
    branches: [main]
  pull_request:
  # Re-audit on a schedule so a newly-published advisory against an action we pin trips the gate
  # even during quiet periods with no pushes — the online zizmor audit is time-varying by design.
  schedule:
    - cron: "0 7 * * 1" # Mondays 07:00 UTC

# Both jobs only read the tree to scan it. Pin the floor to read-only (zizmor: excessive-permissions).
permissions:
  contents: read

jobs:
  gitleaks:
    name: Secret scan (gitleaks)
    runs-on: ubuntu-24.04
    # The weekly tick exists for zizmor's advisory re-audit; history doesn't change between pushes,
    # so there's nothing new for gitleaks to scan on a schedule.
    if: github.event_name != 'schedule'
    env:
      # Pinned + checksum-verified — reproducible and immune to runner-image drift. Keep
      # GITLEAKS_VERSION in lockstep with .pre-commit-config.yaml.
      GITLEAKS_VERSION: "8.30.1"
      GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          fetch-depth: 0 # scan EVERY commit, not just the tip — a secret is still a leak once pushed
          persist-credentials: false # zizmor: artipacked
      - name: Install pinned gitleaks
        run: |
          set -euo pipefail
          tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
          curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}" -o "$tarball"
          echo "${GITLEAKS_SHA256}  ${tarball}" | sha256sum -c -
          tar -xzf "$tarball" gitleaks
          sudo install gitleaks /usr/local/bin/gitleaks
          gitleaks version
      # Full-history scan with the built-in ruleset. --redact keeps any match out of the public logs;
      # the job still fails (non-zero exit) so a leak blocks the merge.
      - name: Scan git history for secrets
        run: gitleaks git . --redact --no-banner --verbose

  zizmor:
    name: Workflow audit (zizmor)
    runs-on: ubuntu-24.04
    env:
      ZIZMOR_VERSION: "1.25.2"
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false # zizmor: artipacked
      # pipx is preinstalled on ubuntu-24.04.
      - name: Install pinned zizmor
        run: pipx install "zizmor==${ZIZMOR_VERSION}"
      # Online audits ON (zizmor's default): GH_TOKEN lets the `known-vulnerable-actions` audit query
      # the GitHub Advisory Database, so a CVE disclosed against an action we pin fails the gate. The
      # built-in token (read-only here) is enough — advisory data is public; it's only for API access.
      # This complements Dependabot: zizmor blocks the merge, Dependabot opens the bump.
      - name: Audit GitHub Actions workflows
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: zizmor .github/workflows/