harden ci (#556)

* harden ci

* fix

* rmarks

* remarks

* fix

Author: mensfeld

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+/.github @mensfeld
+/.github/workflows/ @mensfeld
+/.github/actions/ @mensfeld

.github/workflows/ci.yml

@@ -6,16 +6,22 @@ concurrency:
 
 on:
   pull_request:
+    branches: [ main, master ]
   push:
+    branches: [ main, master ]
   schedule:
     - cron:  '0 1 * * *'
 
+permissions:
+  contents: read
+
 env:
   BUNDLE_RETRY: 6
   BUNDLE_JOBS: 4
 
 jobs:
   specs:
+    timeout-minutes: 15
     runs-on: ubuntu-latest
     needs: diffend
     strategy:
@@ -30,16 +36,19 @@ jobs:
           - ruby: '3.4'
             coverage: 'true'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 0
+
       - name: Install package dependencies
         run: "[ -e $APT_DEPS ] || sudo apt-get install -y --no-install-recommends $APT_DEPS"
 
-      - name: Start Kafka with docker compose
+      - name: Start Kafka with Docker Compose
         run: |
           docker compose up -d || (sleep 5 && docker compose up -d)
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@bbda85882f33075a3727c01e3c8d0de0be6146ce
         with:
           ruby-version: ${{matrix.ruby}}
           bundler-cache: true
@@ -49,7 +58,6 @@ jobs:
         run: |
           gem install bundler --no-document
           gem update --system --no-document
-
           bundle config set without 'tools benchmarks docs'
 
       - name: Bundle install
@@ -58,8 +66,7 @@ jobs:
           bundle install --jobs 4 --retry 3
 
       - name: Wait for Kafka
-        run: |
-          bundle exec bin/wait_for_kafka
+        run: bundle exec bin/wait_for_kafka
 
       - name: Run all tests
         env:
@@ -74,16 +81,17 @@ jobs:
         run: bin/verify_topics_naming
 
   diffend:
+    timeout-minutes: 5
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
 
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@bbda85882f33075a3727c01e3c8d0de0be6146ce
         with:
           ruby-version: 3.4
           bundler-cache: true
@@ -95,33 +103,47 @@ jobs:
         run: bundle secure
 
   coditsu:
+    timeout-minutes: 5
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
+      - name: Download Coditsu script
+        run: |
+          curl -sSL https://api.coditsu.io/run/ci -o coditsu_script.sh
+          chmod +x coditsu_script.sh
+      - name: Verify Coditsu script checksum
+        run: |
+          EXPECTED_SHA256="0aecc5aa010f53fca264548a41467a2b0a1208d750ce1da3e98a217304cacbbc"
+          ACTUAL_SHA256=$(sha256sum coditsu_script.sh | awk '{ print $1 }')
+          if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
+            echo "::error::Checksum verification failed. Expected $EXPECTED_SHA256 but got $ACTUAL_SHA256."
+            exit 1
+          fi
       - name: Run Coditsu
         env:
           CODITSU_API_KEY: ${{ secrets.CODITSU_API_KEY }}
           CODITSU_API_SECRET: ${{ secrets.CODITSU_API_SECRET }}
-        run: \curl -sSL https://api.coditsu.io/run/ci | bash
-
+        run: ./coditsu_script.sh
 
   assets:
+    timeout-minutes: 10
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a
         with:
           node-version: '17'
+          cache: npm
 
       - name: Cache node modules
-        uses: actions/cache@v4
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

.github/workflows/verify-action-pins.yml

@@ -0,0 +1,16 @@
+name: Verify Action Pins
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - name: Check SHA pins
+        run: |
+          if grep -E -r "uses: .*/.*@(v[0-9]+|main|master)" .github/workflows/; then
+            echo "::error::Actions should use SHA pins, not tags or branch names"
+            exit 1
+          fi

renovate.json

@@ -2,5 +2,15 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base"
+  ],
+  "github-actions": {
+    "enabled": true,
+    "pinDigests": true
+  },
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "minimumReleaseAge": "7 days"
+    }
   ]
 }