Ci/actions sec (#7488)

* ci: add harden-runner action to all workflows

* remove owasp zap

* ci: pin all GitHub Actions to commit SHAs

Author: vd0n

.github/workflows/bld_docker.yml

@@ -112,14 +112,19 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: git-checkout-ref-action
         id: ref
-        uses: ORCID/git-checkout-ref-action@main
+        uses: ORCID/git-checkout-ref-action@4258c0cbe4b164e410d0263416034787fb300f26 # main
         with:
           default_branch: ${{ github.event.repository.default_branch }}
           ref: ${{ inputs.ref }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ steps.ref.outputs.ref }}
           # checkout some history so we can scan commits for bump messages
@@ -128,15 +133,15 @@ jobs:
 
       - name: find next version
         id: version
-        uses: ORCID/version-bump-action@main
+        uses: ORCID/version-bump-action@75233259407ae3728171973d09bc66fcf4b15b6a # main
         with:
           version_tag: ${{ inputs.version_tag }}
           bump: ${{ inputs.bump }}
 
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to private registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ${{ secrets.DOCKER_REG_PRIVATE }}
           username: ${{ secrets.DOCKER_USER }}
@@ -152,7 +157,7 @@ jobs:
         run: |
           echo ${{ steps.dynamic_defaults.outputs.default_file }}
 
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           push: ${{ inputs.push }}
           tags: ${{ secrets.DOCKER_REG_PRIVATE }}/${{ matrix.docker_name}}:${{ steps.version.outputs.version_tag_numeric }}

.github/workflows/bld_mvn.yml

@@ -98,14 +98,19 @@ jobs:
 
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: git-checkout-ref-action
         id: ref
-        uses: ORCID/git-checkout-ref-action@main
+        uses: ORCID/git-checkout-ref-action@4258c0cbe4b164e410d0263416034787fb300f26 # main
         with:
           default_branch: ${{ github.event.repository.default_branch }}
           ref: ${{ inputs.ref }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ steps.ref.outputs.ref }}
           # checkout some history so we can scan commits for bump messages
@@ -114,13 +119,13 @@ jobs:
 
       - name: find next version
         id: version
-        uses: ORCID/version-bump-action@main
+        uses: ORCID/version-bump-action@75233259407ae3728171973d09bc66fcf4b15b6a # main
         with:
           version_tag: ${{ inputs.version_tag }}
           bump: ${{ inputs.bump }}
 
       - name: Set up Open JDK 11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: 'temurin'
           java-version: '11'
@@ -129,7 +134,7 @@ jobs:
 
       - name: if not installing dependencies restore special previous git_sha cache
         if: ${{ ! inputs.install_maven_dependencies }}
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}-${{ steps.version.outputs.version_tag_numeric }}-${{ github.sha }}
@@ -148,7 +153,7 @@ jobs:
 
       - name: if installing dependencies use a standard cache key name
         if: ${{ inputs.install_maven_dependencies }}
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}-seed-cache
@@ -158,14 +163,14 @@ jobs:
       - name: seed_maven_cache
         if: ${{ inputs.seed_maven_cache }}
         id: cache
-        uses: ORCID/ORCID-Source-cache-action@main
+        uses: ORCID/ORCID-Source-cache-action@9831e0ffb2e9db46bffa6bb55fb897d159da5668 # main
         with:
           version_tag_numeric: ${{ steps.version.outputs.version_tag_numeric }}
 
       - name: install_dependencies and bump version
         if: ${{ inputs.install_maven_dependencies }}
         id: install_dependencies
-        uses: ORCID/ORCID-Source-dependencies-action@main
+        uses: ORCID/ORCID-Source-dependencies-action@e470d485ef8dc69858100998d77d03ccefb06ef1 # main
         with:
           version_tag_numeric: ${{ steps.version.outputs.version_tag_numeric }}
 
@@ -187,7 +192,7 @@ jobs:
 
       - name: setup node for angular static file
         if: ${{ matrix.project == 'orcid-web' }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 18.7.0
 

.github/workflows/install_maven_dependencies.yml

@@ -66,14 +66,19 @@ jobs:
   install_deps:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: git-checkout-ref-action
         id: ref
-        uses: ORCID/git-checkout-ref-action@main
+        uses: ORCID/git-checkout-ref-action@4258c0cbe4b164e410d0263416034787fb300f26 # main
         with:
           default_branch: ${{ github.event.repository.default_branch }}
           ref: ${{ inputs.ref }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ steps.ref.outputs.ref }}
           # checkout some history so we can scan commits for bump messages
@@ -82,19 +87,19 @@ jobs:
 
       - name: find next version
         id: version
-        uses: ORCID/version-bump-action@main
+        uses: ORCID/version-bump-action@75233259407ae3728171973d09bc66fcf4b15b6a # main
         with:
           version_tag: ${{ inputs.version_tag }}
           bump: ${{ inputs.bump }}
 
       - name: Set up Open JDK 11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: 'temurin'
           java-version: '11'
 
       - name: Restore the seeded cache but save dependencies into a new unique git sha hash with the expected version of the build
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}-${{ steps.version.outputs.version_tag_numeric }}-${{ github.sha }}
@@ -120,7 +125,7 @@ jobs:
 
       - name: install_dependencies
         id: install_dependencies
-        uses: ORCID/ORCID-Source-dependencies-action@main
+        uses: ORCID/ORCID-Source-dependencies-action@e470d485ef8dc69858100998d77d03ccefb06ef1 # main
         with:
           version_tag_numeric: ${{ steps.version.outputs.version_tag_numeric }}
 

.github/workflows/lint.yml

@@ -16,8 +16,13 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.10'
-      - uses: pre-commit/action@576ff52938d158a24ac7e009dfa94b1455e7df99
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/owasp_zap_full_scan.yml

@@ -56,15 +56,20 @@ jobs:
   rel_tag:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: git-checkout-ref-action
         id: ref
-        uses: ORCID/git-checkout-ref-action@main
+        uses: ORCID/git-checkout-ref-action@4258c0cbe4b164e410d0263416034787fb300f26 # main
         with:
           default_branch: ${{ github.event.repository.default_branch }}
           ref: ${{ inputs.ref }}
 
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # token with write permissions to protected branches
           # standard github token does not allow this
@@ -76,13 +81,13 @@ jobs:
 
       - name: find next version
         id: version
-        uses: ORCID/version-bump-action@main
+        uses: ORCID/version-bump-action@75233259407ae3728171973d09bc66fcf4b15b6a # main
         with:
           version_tag: ${{ inputs.version_tag }}
           bump: ${{ inputs.bump }}
 
       - name: tag repo create changelog and create release
-        uses: ORCID/changelog-action@main
+        uses: ORCID/changelog-action@a5a2787feb8462255492cdfc732b32adf4d0c5d0 # main
         with:
           version_tag: ${{ steps.version.outputs.version_tag }}
           slack_channel: tech-release

.github/workflows/rel_tag.yml

@@ -9,10 +9,15 @@ jobs:
   buildmavenDepTree:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Set up JDK 11
-        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           java-version: '11'
           distribution: 'temurin'
@@ -23,7 +28,7 @@ jobs:
       - name: Create zip with all dependency trees
         run: find . -type f -name 'maven_dep_tree.txt' -exec zip -r deptree.zip {} +
       - name: Upload zip
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: deptree
           path: deptree.zip
@@ -41,9 +46,9 @@ jobs:
     if: (github.actor != 'dependabot[bot]')
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Download Maven Dependencies
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: deptree
       - name: Extract zip and run Semgrep

.github/workflows/sast.yml

@@ -64,14 +64,19 @@ jobs:
   seed_cache:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: git-checkout-ref-action
         id: ref
-        uses: ORCID/git-checkout-ref-action@main
+        uses: ORCID/git-checkout-ref-action@4258c0cbe4b164e410d0263416034787fb300f26 # main
         with:
           default_branch: ${{ github.event.repository.default_branch }}
           ref: ${{ inputs.ref }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ steps.ref.outputs.ref }}
           # checkout some history so we can scan commits for bump messages
@@ -80,19 +85,19 @@ jobs:
 
       - name: find next version
         id: version
-        uses: ORCID/version-bump-action@main
+        uses: ORCID/version-bump-action@75233259407ae3728171973d09bc66fcf4b15b6a # main
         with:
           version_tag: ${{ inputs.version_tag }}
           bump: ${{ inputs.bump }}
 
       - name: Set up Open JDK 11
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: 'temurin'
           java-version: '11'
 
       - name: Cache local Maven repository keyed off the pom
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}-seed-cache
@@ -101,7 +106,7 @@ jobs:
 
       - name: seed_cache
         id: cache
-        uses: ORCID/ORCID-Source-cache-action@main
+        uses: ORCID/ORCID-Source-cache-action@9831e0ffb2e9db46bffa6bb55fb897d159da5668 # main
         with:
           version_tag_numeric: ${{ steps.version.outputs.version_tag_numeric }}