mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-06-28 08:23:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #333 from step-security-bot/chore/GHA-230313-stepsecurity-remediation

Browse Source 
[StepSecurity] Apply security best practices
This commit is contained in:
Sun Yimin 2025-06-23 11:19:50 +08:00 committed by GitHub
commit 87cfc1480d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 118 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/dependabot.yml vendored
View File

@ -9,3 +9,13 @@ updates:
directory: "/" # Location of package manifests directory: "/" # Location of package manifests
schedule: schedule:
interval: "weekly" interval: "weekly"
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
- package-ecosystem: docker
directory: /internal/sm2ec/fiat
schedule:
interval: daily

14
.github/workflows/ci.yml vendored
View File

@ -6,6 +6,9 @@ on:
pull_request: pull_request:
branches: [ main ] branches: [ main ]
permissions:
contents: read
jobs: jobs:
build: build:
@ -14,11 +17,16 @@ jobs:
matrix: matrix:
goVer: ['1.23', '1.24'] goVer: ['1.23', '1.24']
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Checkout Repo - name: Checkout Repo
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.goVer }} go-version: ${{ matrix.goVer }}
@ -36,7 +44,7 @@ jobs:
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
if: ${{ matrix.goVer == '1.24' }} if: ${{ matrix.goVer == '1.24' }}
uses: codecov/codecov-action@v5 uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
with: with:
files: ./coverage1.txt,./coverage2.txt files: ./coverage1.txt,./coverage2.txt
env: env:

20
.github/workflows/codeql-analysis.yml vendored
View File

@ -15,22 +15,34 @@ on:
# * * * * * # * * * * *
- cron: '30 1 * * *' - cron: '30 1 * * *'
permissions:
contents: read
jobs: jobs:
CodeQL-Build: CodeQL-Build:
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/autobuild to send a status report
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v2 uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
with: with:
languages: go languages: go
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@v2 uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2 uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1

12
.github/workflows/licenses.yml vendored
View File

@ -6,12 +6,20 @@ on:
- 'go.mod' - 'go.mod'
- 'go.sum' - 'go.sum'
permissions:
contents: read
jobs: jobs:
update-licenses: update-licenses:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - name: Harden the runner (Audit all outbound calls)
- uses: actions/setup-go@v5 uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: '1.23' go-version: '1.23'
- name: Install go-licenses - name: Install go-licenses

12
.github/workflows/macos.yml vendored
View File

@ -6,15 +6,23 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- uses: actions/checkout@v4 - name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: 1.23 go-version: 1.23

7
.github/workflows/scorecard.yml vendored
View File

@ -33,6 +33,11 @@ jobs:
# actions: read # actions: read
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: "Checkout code" - name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
@ -73,6 +78,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard (optional). # Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard # Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning" - name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
with: with:
sarif_file: results.sarif sarif_file: results.sarif

14
.github/workflows/test_ppc64.yaml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
test: test:
@ -19,16 +22,21 @@ jobs:
ppc64: [power8] ppc64: [power8]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test internal - name: Test internal
run: go test -v ./internal/... run: go test -v ./internal/...

14
.github/workflows/test_qemu.yml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
test: test:
@ -18,16 +21,21 @@ jobs:
arch: [arm64] arch: [arm64]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test - name: Test
run: go test -v -short ./... run: go test -v -short ./...

14
.github/workflows/test_riscv64.yaml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
test: test:
@ -18,16 +21,21 @@ jobs:
arch: [riscv64] arch: [riscv64]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test - name: Test
run: go test -v -short ./internal/... run: go test -v -short ./internal/...

14
.github/workflows/test_s390x.yaml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
test: test:
@ -18,16 +21,21 @@ jobs:
arch: [s390x] arch: [s390x]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test internal - name: Test internal
run: go test -v ./internal/... run: go test -v ./internal/...

14
.github/workflows/test_sm_ni.yml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
branches: [ "main" ] branches: [ "main" ]
permissions:
contents: read
jobs: jobs:
test: test:
@ -18,16 +21,21 @@ jobs:
arch: [arm64] arch: [arm64]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v5 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with: with:
go-version: ${{ matrix.go-version }} go-version: ${{ matrix.go-version }}
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Check out code - name: Check out code
uses: actions/checkout@v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Test - name: Test
run: go test -v -short ./... run: go test -v -short ./...