[StepSecurity] Apply security best practices

.github/workflows/build-docs.yaml

@@ -27,11 +27,16 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: [self-hosted, sdk-runner]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.9
 
@@ -66,14 +71,14 @@ jobs:
           # the return code.
 
       - name: Setup Pages
-        uses: actions/configure-pages@v2
+        uses: actions/configure-pages@c5a3e1159e0cbdf0845eb8811bd39e39fc3099c2 # v2.1.3
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@84bb4cd4b733d5c320c9c9cfbc354937524f4d64 # v1.0.10
         with:
           # Upload entire repository
           path: '.'
 
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@f27bcc15848fdcdcc02f01754eb838e44bcf389b # v1.2.9

.github/workflows/build-package.yaml

@@ -30,11 +30,16 @@ jobs:
   build_sdk:
     runs-on: [self-hosted, sdk-runner]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code with caching for Git LFS
-        uses: nschloe/action-cached-lfs-checkout@v1.2.0
+        uses: nschloe/action-cached-lfs-checkout@b45b5731560fe7acf2d15c536bc8aef4f71c885e # v1.2.0
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.9
 
@@ -59,7 +64,7 @@ jobs:
 
       - name: Upload wheel and source files as github artifact
         # Publish the built wheel and source tarball to github
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: geti_sdk

.github/workflows/nightly-tests.yaml

@@ -46,8 +46,13 @@ jobs:
 
     steps:
 
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code with caching for Git LFS
-        uses: nschloe/action-cached-lfs-checkout@v1.2.0
+        uses: nschloe/action-cached-lfs-checkout@b45b5731560fe7acf2d15c536bc8aef4f71c885e # v1.2.0
 
       - name: Create fresh conda environment
         # Steps: check if env named $CONDA_ENV exists, if so remove it. Create new env
@@ -105,15 +110,15 @@ jobs:
 
       - name: Upload artifacts for nightly tests
         # Publish the test artifacts in the $ARTIFACT_DIRECTORY to github
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: artifacts
           path: ${{ env.ARTIFACT_DIRECTORY }}
 
       - name: Upload test reports
         # Publish the test reports to github
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: test-reports

.github/workflows/pre-merge-tests.yml

@@ -34,13 +34,18 @@ jobs:
       max-parallel: 4
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           lfs: true
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -75,7 +80,7 @@ jobs:
 
       - name: Upload test report for pre-merge tests
         # Publish the test report to github
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: pre-merge-test-reports

.github/workflows/record-vcr-cassettes.yaml

@@ -24,13 +24,18 @@ jobs:
     runs-on: [self-hosted, sdk-runner]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           lfs: true
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
@@ -85,14 +90,14 @@ jobs:
           git fetch
 
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@9870d48124da805820c70ebc6ba563c715551019 # master
         with:
             github_token: ${{ secrets.GITHUB_TOKEN }}
             branch: ${{ github.ref }}
 
       - name: Upload test reports
         # Publish the test reports to GitHub
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: test-reports

.github/workflows/scorecard.yml

@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:

.github/workflows/security-scan.yaml

@@ -22,11 +22,16 @@ jobs:
       actions: read
       contents: read
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.9
 
@@ -47,7 +52,7 @@ jobs:
           bandit -r . --ini tox.ini -f 'txt' -o $REPORT_DIRECTORY/bandit.txt -v
 
       - name: Trivy vulnerability scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # master
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -56,13 +61,13 @@ jobs:
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@b7cec7526559c32f1616476ff32d17ba4c59b2d6 # v3.25.5
         with:
           sarif_file: 'trivy-results.sarif'
 
       - name: Upload test reports
         # Publish the test reports to github
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ always() }}
         with:
           name: test-reports

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.8-bullseye
+FROM python:3.8-bullseye@sha256:5277b878d90029446c0124f08064ff3eba05a4d5ce182ee4b17a52a32d83d392
 
 RUN apt-get update && apt-get install -y --no-install-recommends python3-opencv libgl1