diff --git a/.github/workflows/build_dispatch.yml b/.github/workflows/build_dispatch.yml index 5c9f6c8908..675eef09e9 100644 --- a/.github/workflows/build_dispatch.yml +++ b/.github/workflows/build_dispatch.yml @@ -9,8 +9,14 @@ jobs: name: "Trigger downstream repos" runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: Trigger nest/nest-extension-module CI - uses: peter-evans/repository-dispatch@v2 + uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588 # v2.1.1 with: token: ${{ secrets.NEST_EXTENSION_MODULE_TRIGGER_TOKEN }} repository: 'nest/nest-extension-module' diff --git a/.github/workflows/ebrains-push.yml b/.github/workflows/ebrains-push.yml index e47392926e..6633e8356c 100644 --- a/.github/workflows/ebrains-push.yml +++ b/.github/workflows/ebrains-push.yml @@ -9,6 +9,12 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == 'nest' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: sycnmaster uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83 with: diff --git a/.github/workflows/hifis-push.yml b/.github/workflows/hifis-push.yml index 8b5899870b..e7ed9f34bb 100644 --- a/.github/workflows/hifis-push.yml +++ b/.github/workflows/hifis-push.yml @@ -9,6 +9,12 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == 'nest' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: sycnmaster uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83 with: diff --git a/.github/workflows/jsc-push.yml b/.github/workflows/jsc-push.yml index 6201876d2d..8f599e4fe5 100644 --- a/.github/workflows/jsc-push.yml +++ b/.github/workflows/jsc-push.yml @@ -9,6 +9,12 @@ jobs: runs-on: ubuntu-latest if: ${{ github.repository_owner == 'nest' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: sycnmaster uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83 with: diff --git a/.github/workflows/nestbuildmatrix.yml b/.github/workflows/nestbuildmatrix.yml index 221bbcf156..d96bfdfed5 100644 --- a/.github/workflows/nestbuildmatrix.yml +++ b/.github/workflows/nestbuildmatrix.yml @@ -13,8 +13,14 @@ jobs: CLANG_REQUIRE_VERSION: 17.0.4 CLANG_FORMAT_FILE: ".clang-format" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -30,8 +36,14 @@ jobs: cppcheck: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -47,13 +59,19 @@ jobs: rstcheck: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -68,13 +86,19 @@ jobs: vale: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -94,13 +118,19 @@ jobs: copyright_headers: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -115,13 +145,19 @@ jobs: unused_names: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -132,8 +168,14 @@ jobs: forbidden_types: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -144,8 +186,14 @@ jobs: lychee_IGNORED: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -165,13 +213,19 @@ jobs: pydocstyle: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -186,13 +240,19 @@ jobs: mypy: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -231,7 +291,7 @@ jobs: # name: "build-${{ matrix.os }}-${{ matrix.cpp_compiler }}-${{ matrix.use }}" # - name: "Set up Python 3.x" - # uses: actions/setup-python@v4 + # uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 # with: # python-version: 3.9 @@ -253,12 +313,12 @@ jobs: # needs: [build_macos] # steps: # - name: "Checkout repository content" - # uses: actions/checkout@v3 + # uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # with: # fetch-depth: 0 # - name: "Set up Python 3.x" - # uses: actions/setup-python@v4 + # uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 # with: # python-version: 3.9 @@ -273,13 +333,19 @@ jobs: pylint: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -307,8 +373,14 @@ jobs: black: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -320,13 +392,19 @@ jobs: flake8: runs-on: "ubuntu-20.04" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -343,13 +421,19 @@ jobs: runs-on: "ubuntu-20.04" needs: [pydocstyle, rstcheck, vale] steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: # Using 3.8 because Read the docs does not work with higher versions. # See also: https://github.com/nest/nest-simulator/pull/2744 @@ -370,7 +454,7 @@ jobs: make docs |& tee sphinx-output.log - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "sphinx-rtd output" path: | @@ -383,8 +467,14 @@ jobs: if: false needs: [pydocstyle, rstcheck, vale] steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 @@ -410,7 +500,7 @@ jobs: make html |& tee sphinx-output.log - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: path: | build/sphinx-output.log @@ -440,18 +530,24 @@ jobs: - "openmp, mpi, python, gsl, ltdl, boost, hdf5, sionlib, libneurosim, optimize, warning" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 - name: "Restore apt cache" - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 env: cache-name: "apt-cache" with: @@ -492,7 +588,7 @@ jobs: # source (hashed), compiler (mtime+size) and compile flags. env: cache-name: "ccache" - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: | $HOME/.ccache @@ -508,7 +604,7 @@ jobs: - name: "Restore pip cache" env: cache-name: "pip-cache" - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: | /opt/hostedtoolcache/Python/**/site-packages/* @@ -609,7 +705,7 @@ jobs: make VERBOSE=1 installcheck - name: "Upload install and test results" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: always() with: name: "build-logs-${{ matrix.os }}-${{ matrix.cpp_compiler }}-${{ matrix.use }}" @@ -639,13 +735,19 @@ jobs: - "openmp, mpi, python, gsl, ltdl, boost, hdf5, optimize, warning" steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + - name: "Checkout repository content" - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 - name: "Set up Python 3.x" - uses: actions/setup-python@v4 + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 with: python-version: 3.9 @@ -656,7 +758,7 @@ jobs: - name: "Restore pip cache" env: cache-name: "pip-cache" - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: | /opt/hostedtoolcache/Python/**/site-packages/* @@ -723,7 +825,7 @@ jobs: make VERBOSE=1 installcheck - name: "Upload install and test results" - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: "${{ matrix.NEST_BUILD_TYPE }}-build-logs-${{ matrix.os }}-${{ matrix.cpp_compiler }}" diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9757187ebc..82b3dcd13f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -16,7 +16,13 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v3 + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + disable-telemetry: true + + - uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757 # v3.0.19 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Issue automatically marked stale!'