Security fixes (#504)

## Overview

This PR adds a few security recommendations. The SBOM and provenance
adjustment is for testing purposes as the GitHub Workflow doesn't
currently push to DockerHub, but once we no longer have Docker autobuild
services, we may be using this for production.

Changes:

* Updated `setuptools` to address a CWE issue
* Restricted the allowed connections in PyPI and TestPyPI workflows
* Added the `nodefaults` source in conda configurations
* Specified a `nonroot` user for running the Docker service

## Related Issue / Discussion

Docker Teams Pro subscription is ending in a few weeks. Birdhouse docker
images will need to migrate to using the `push` option in
`docker/build-push-action` very soon.

Author: Zeitsperre

.github/workflows/docker-testing.yml

@@ -45,6 +45,8 @@ jobs:
           load: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # platforms: linux/amd64,linux/arm64
+          # sbom: false
           push: false
       - name: Run Docker image
         uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3.0.0

.github/workflows/publish-pypi.yml

@@ -21,7 +21,13 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            ruf-repo-cdn.sigstore.dev:443
+            upload.pypi.org:443
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

.github/workflows/tag-testpypi.yml

@@ -21,7 +21,13 @@ jobs:
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            ruf-repo-cdn.sigstore.dev:443
+            test.pypi.org:443
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:

Dockerfile

@@ -23,4 +23,10 @@ RUN pip install . --no-deps
 
 # Start WPS service on port 5000 of 0.0.0.0
 EXPOSE 5000
+
+# Specify a non-root user to run the application
+RUN useradd --create-home --shell /bin/bash --uid 1000 nonroot && mkdir -p /tmp/matplotlib && chown -R nonroot:nonroot /code /home/nonroot /tmp/matplotlib /opt/conda/envs/finch
+USER nonroot
+ENV MPLCONFIGDIR=/tmp/matplotlib
+
 CMD ["gunicorn", "--bind=0.0.0.0:5000", "-t 60", "finch.wsgi:application"]

environment-dev.yml

@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - pywps >=4.6

environment-docs.yml

@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - anyascii >=0.3.0
@@ -10,7 +11,7 @@ dependencies:
   - nbsphinx >=0.9.5
   - pandas >=2.2.0
   - pywps >=4.5.1
-  - setuptools >=71.0.0
+  - setuptools >=78.1.1
   - sphinx >=7.0.0,<8.2.0 # Pinned until nbsphinx supports Sphinx 8.2
   - sphinxcontrib-bibtex >=2.6.0
   - xarray >=2023.11.0,<2025.3.0

environment.yml

@@ -1,6 +1,7 @@
 name: finch
 channels:
   - conda-forge
+  - nodefaults
 dependencies:
   - python >=3.10,<3.13
   - pip >=24.2.0
@@ -24,7 +25,7 @@ dependencies:
   - pyyaml >=6.0.1
   - scipy >=1.9.0
   - sentry-sdk
-  - setuptools >=71.0.0
+  - setuptools >=78.1.1
   - siphon
   - werkzeug >=3.0.6
   - xarray >=2023.11.0,<2025.03.0