From 93f60db26c7410e773e58b96d36235e0fbc3fc1e Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 6 Mar 2025 10:15:24 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 96 +++++++++++++++++++ .../workflows/apply-issue-labels-to-pr.yml | 10 +- .github/workflows/build-web.yml | 7 +- .github/workflows/chromatic.yml | 13 ++- .github/workflows/codeql.yml | 78 +++++++++++++++ .github/workflows/cron-surveyStatusUpdate.yml | 5 + .github/workflows/cron-weeklySummary.yml | 8 ++ .github/workflows/dependency-review.yml | 27 ++++++ .github/workflows/e2e.yml | 15 ++- .github/workflows/labeler.yml | 10 +- .github/workflows/lint.yml | 5 + .github/workflows/pr.yml | 5 + .github/workflows/prepare-release.yml | 5 + .github/workflows/release-changesets.yml | 13 ++- .../release-docker-github-experimental.yml | 20 ++-- .github/workflows/release-docker-github.yml | 20 ++-- .github/workflows/release-docker.yml | 16 +++- .github/workflows/scorecard.yml | 7 +- .github/workflows/semantic-pull-requests.yml | 11 ++- .github/workflows/sonarqube.yml | 7 +- .github/workflows/test.yml | 14 ++- .../workflows/tolgee-missing-key-check.yml | 9 +- .github/workflows/tolgee.yml | 11 ++- .../workflows/welcome-new-contributors.yml | 7 +- .pre-commit-config.yaml | 18 ++++ apps/web/Dockerfile | 2 +- 26 files changed, 392 insertions(+), 47 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..6fc3acd20d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,96 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: npm + directory: /apps/demo-react-native + schedule: + interval: daily + + - package-ecosystem: npm + directory: /apps/demo + schedule: + interval: daily + + - package-ecosystem: npm + directory: /apps/storybook + schedule: + interval: daily + + - package-ecosystem: docker + directory: /apps/web + schedule: + interval: daily + + - package-ecosystem: npm + directory: /apps/web + schedule: + interval: daily + + - package-ecosystem: npm + directory: / + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/api + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/config-eslint + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/config-prettier + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/config-typescript + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/database + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/js-core + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/js + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/lib + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/react-native + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/surveys + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/types + schedule: + interval: daily + + - package-ecosystem: npm + directory: /packages/vite-plugins + schedule: + interval: daily diff --git a/.github/workflows/apply-issue-labels-to-pr.yml b/.github/workflows/apply-issue-labels-to-pr.yml index 3299b591a8..b15d6e9873 100644 --- a/.github/workflows/apply-issue-labels-to-pr.yml +++ b/.github/workflows/apply-issue-labels-to-pr.yml @@ -5,6 +5,9 @@ on: types: - opened +permissions: + contents: read + jobs: label_on_pr: runs-on: ubuntu-latest @@ -15,8 +18,13 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Apply labels from linked issue to PR - uses: actions/github-script@v5 + uses: actions/github-script@211cb3fefb35a799baa5156f9321bb774fe56294 # v5.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 99e9afb4d4..d029e9443c 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -12,7 +12,12 @@ jobs: timeout-minutes: 30 steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: ./.github/actions/dangerous-git-checkout - name: Build & Cache Web Binaries diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 3be713976c..cb0ab7d0c3 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -11,19 +11,24 @@ jobs: name: Run Chromatic runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: 20 - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Install dependencies run: pnpm install --config.platform=linux --config.architecture=x64 - name: Run Chromatic - uses: chromaui/action@latest + uses: chromaui/action@c93e0bc3a63aa176e14a75b61a31847cbfdd341c # latest with: # ⚠️ Make sure to configure a `CHROMATIC_PROJECT_TOKEN` repository secret projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..1edfcf39fe --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "typescript"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/cron-surveyStatusUpdate.yml b/.github/workflows/cron-surveyStatusUpdate.yml index 46ab2b4e73..1e92f2f5aa 100644 --- a/.github/workflows/cron-surveyStatusUpdate.yml +++ b/.github/workflows/cron-surveyStatusUpdate.yml @@ -18,6 +18,11 @@ jobs: CRON_SECRET: ${{ secrets.CRON_SECRET }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: cURL request if: ${{ env.APP_URL && env.CRON_SECRET }} run: | diff --git a/.github/workflows/cron-weeklySummary.yml b/.github/workflows/cron-weeklySummary.yml index 9516f7870f..3a65df5994 100644 --- a/.github/workflows/cron-weeklySummary.yml +++ b/.github/workflows/cron-weeklySummary.yml @@ -7,6 +7,9 @@ on: schedule: # Runs “At 08:00 on Monday.” (see https://crontab.guru) - cron: "0 8 * * 1" +permissions: + contents: read + jobs: cron-weeklySummary: permissions: @@ -16,6 +19,11 @@ jobs: CRON_SECRET: ${{ secrets.CRON_SECRET }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: cURL request if: ${{ env.APP_URL && env.CRON_SECRET }} run: | diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..3781c57654 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 3517881c48..62f89572a3 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -43,16 +43,21 @@ jobs: --health-timeout=5s --health-retries=5 steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: ./.github/actions/dangerous-git-checkout - name: Setup Node.js 20.x - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: 20.x - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Install dependencies run: pnpm install --config.platform=linux --config.architecture=x64 @@ -112,7 +117,7 @@ jobs: - name: Azure login if: env.AZURE_ENABLED == 'true' - uses: azure/login@v2 + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -130,7 +135,7 @@ jobs: run: | pnpm test:e2e - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 if: always() with: name: playwright-report diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index a5445be9ae..18b82b4b33 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -4,6 +4,9 @@ on: concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: labeler: name: Pull Request Labeler @@ -12,7 +15,12 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" # https://github.com/actions/labeler/issues/442#issuecomment-1297359481 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index a44cd153f0..47e36da4ec 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,6 +12,11 @@ jobs: timeout-minutes: 15 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: ./.github/actions/dangerous-git-checkout diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 6da3038d27..694b04a74c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -50,6 +50,11 @@ jobs: checks: write statuses: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: fail if conditional jobs failed if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'skipped') || contains(needs.*.result, 'cancelled') run: exit 1 diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index cf1997e9e4..c2ad9307f2 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -18,6 +18,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: ./.github/actions/dangerous-git-checkout diff --git a/.github/workflows/release-changesets.yml b/.github/workflows/release-changesets.yml index 46e1d7a882..ea4037dd3b 100644 --- a/.github/workflows/release-changesets.yml +++ b/.github/workflows/release-changesets.yml @@ -26,23 +26,28 @@ jobs: TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} TURBO_TEAM: ${{ secrets.TURBO_TEAM }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup Node.js 18.x - uses: actions/setup-node@v2 + uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2 with: node-version: 18.x - name: Install pnpm - uses: pnpm/action-setup@v2.2.4 + uses: pnpm/action-setup@c3b53f6a16e57305370b4ae5a540c2077a1d50dd # v2.2.4 - name: Install Dependencies run: pnpm install --config.platform=linux --config.architecture=x64 - name: Create Release Pull Request or Publish to npm id: changesets - uses: changesets/action@v1 + uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1.4.9 with: # This expects you to have a script called release which does a build for your packages and calls changeset publish publish: pnpm release diff --git a/.github/workflows/release-docker-github-experimental.yml b/.github/workflows/release-docker-github-experimental.yml index ea3dcbdef7..c009debdcd 100644 --- a/.github/workflows/release-docker-github-experimental.yml +++ b/.github/workflows/release-docker-github-experimental.yml @@ -17,6 +17,9 @@ env: TURBO_TEAM: ${{ secrets.TURBO_TEAM }} DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -28,23 +31,28 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.5.0 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v3 # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -54,7 +62,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 # v5.0.0 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -62,7 +70,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: tw0fqmsx3c token: ${{ secrets.DEPOT_PROJECT_TOKEN }} diff --git a/.github/workflows/release-docker-github.yml b/.github/workflows/release-docker-github.yml index ea348eba99..d648ae6760 100644 --- a/.github/workflows/release-docker-github.yml +++ b/.github/workflows/release-docker-github.yml @@ -20,6 +20,9 @@ env: TURBO_TEAM: ${{ secrets.TURBO_TEAM }} DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -31,23 +34,28 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Depot CLI - uses: depot/setup-action@v1 + uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@v3.5.0 + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v3 # v3.0.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -57,7 +65,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v5 # v5.0.0 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -65,7 +73,7 @@ jobs: # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push - uses: depot/build-push-action@v1 + uses: depot/build-push-action@636daae76684e38c301daa0c5eca1c095b24e780 # v1.14.0 with: project: tw0fqmsx3c token: ${{ secrets.DEPOT_PROJECT_TOKEN }} diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml index 0c288e6cbe..3f4c3680c7 100644 --- a/.github/workflows/release-docker.yml +++ b/.github/workflows/release-docker.yml @@ -5,6 +5,9 @@ on: tags: - "v*" +permissions: + contents: read + jobs: release-image-on-dockerhub: name: Release on Dockerhub @@ -16,17 +19,22 @@ jobs: TURBO_TEAM: ${{ secrets.TURBO_TEAM }} DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/formbricks?schema=public" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout Repo - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Log in to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 - name: Get Release Tag id: extract_release_tag @@ -36,7 +44,7 @@ jobs: echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV - name: Build and push Docker image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4.2.1 with: context: . file: ./apps/web/Dockerfile diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 483814d9f4..e82bdca819 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,6 +34,11 @@ jobs: # actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -71,6 +76,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10 with: sarif_file: results.sarif diff --git a/.github/workflows/semantic-pull-requests.yml b/.github/workflows/semantic-pull-requests.yml index 95cbdb7d26..99494775a5 100644 --- a/.github/workflows/semantic-pull-requests.yml +++ b/.github/workflows/semantic-pull-requests.yml @@ -16,7 +16,12 @@ jobs: name: PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3 id: lint_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -35,7 +40,7 @@ jobs: revert ossgg - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 # When the previous steps fails, the workflow would stop. By adding this # condition you can continue the execution with the populated error message. if: always() && (steps.lint_pr_title.outputs.error_message != null) @@ -54,7 +59,7 @@ jobs: # Delete a previous comment when the issue has been resolved - if: ${{ steps.lint_pr_title.outputs.error_message == null }} - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 with: header: pr-title-lint-error message: | diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index d5ee858164..65d26fe7b7 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -14,7 +14,12 @@ jobs: name: SonarQube runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 93efc057eb..f1bad54204 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,6 +1,9 @@ name: Tests on: workflow_call: +permissions: + contents: read + jobs: build: name: Unit Tests @@ -10,16 +13,21 @@ jobs: contents: read steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: ./.github/actions/dangerous-git-checkout - name: Setup Node.js 20.x - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: 20.x - name: Install pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Install dependencies run: pnpm install --config.platform=linux --config.architecture=x64 diff --git a/.github/workflows/tolgee-missing-key-check.yml b/.github/workflows/tolgee-missing-key-check.yml index 869cd3965b..56428018b5 100644 --- a/.github/workflows/tolgee-missing-key-check.yml +++ b/.github/workflows/tolgee-missing-key-check.yml @@ -12,11 +12,16 @@ jobs: check-missing-translations: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: 18 diff --git a/.github/workflows/tolgee.yml b/.github/workflows/tolgee.yml index 2eea564ad4..c08fc740bb 100644 --- a/.github/workflows/tolgee.yml +++ b/.github/workflows/tolgee.yml @@ -15,8 +15,13 @@ jobs: if: github.event.pull_request.merged == true steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # This ensures we get the full git history @@ -38,7 +43,7 @@ jobs: echo "Detected source branch: $SOURCE_BRANCH" - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: 18 # Ensure compatibility with your project @@ -77,7 +82,7 @@ jobs: --yes - name: Upload backup as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: name: tolgee-backup-${{ github.sha }} path: ./tolgee-backup diff --git a/.github/workflows/welcome-new-contributors.yml b/.github/workflows/welcome-new-contributors.yml index eed2897749..332a34e04a 100644 --- a/.github/workflows/welcome-new-contributors.yml +++ b/.github/workflows/welcome-new-contributors.yml @@ -17,7 +17,12 @@ jobs: timeout-minutes: 10 if: github.event.action == 'opened' steps: - - uses: actions/first-interaction@v1 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/first-interaction@3c71ce730280171fd1cfb57c00c774f8998586f7 # v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000000..723e338d33 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile index 5df93dac6f..2bee6c354f 100644 --- a/apps/web/Dockerfile +++ b/apps/web/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22-alpine3.20 AS base +FROM node:22-alpine3.20@sha256:40be979442621049f40b1d51a26b55e281246b5de4e5f51a18da7beb6e17e3f9 AS base # ## step 1: Prune monorepo