[StepSecurity] Apply security best practices (#449)

* [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * Update ghaction-github-labeler.yaml * Update issue-auto.yaml * Update stale.yaml --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Ludy <Ludy87@users.noreply.github.com>
Ludy87 · Dec 30, 2024 · b88d9d1 · b88d9d1
1 parent c14211f
commit b88d9d1
Show file tree

Hide file tree

Showing 16 changed files with 135 additions and 30 deletions.
diff --git a/.github/workflows/a_pre_commit.yml b/.github/workflows/a_pre_commit.yml
@@ -22,11 +22,11 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ secrets.TOKEN }}
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: 3.12
       - name: Set up git config
@@ -43,7 +43,7 @@ jobs:
           git diff --staged --quiet || git commit -m ":file_folder: pre-commit
           > Made via .github/workflows/a_pre_commit.yml" || echo "pre-commit: no changes"
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           token: ${{ secrets.TOKEN }}
           commit-message: Update files

diff --git a/.github/workflows/actions-labeler.yaml b/.github/workflows/actions-labeler.yaml
@@ -14,9 +14,14 @@ jobs:
     permissions:
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
-      - uses: actions/labeler@v5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           configuration-path: .github/workflows/config/labeler.yml
           sync-labels: false

diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -41,12 +41,17 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +62,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -71,6 +76,6 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/community.yaml b/.github/workflows/community.yaml
@@ -15,8 +15,13 @@ jobs:
     if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Check Labels
         id: labeler
-        uses: jimschubert/labeler-action@v2
+        uses: jimschubert/labeler-action@cfce1831f33e0e4604bbc4e6933eb2f56c2fa530 # v2
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/ghaction-github-labeler.yaml b/.github/workflows/ghaction-github-labeler.yaml
@@ -15,13 +15,19 @@ jobs:
     if: ${{ github.event.pull_request.user.login != 'dependabot[bot]' }}
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: read
+      issues: write  # for crazy-max/ghaction-github-labeler to create, rename, update and delete label
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Run Labeler
-        uses: crazy-max/ghaction-github-labeler@v5
+        uses: crazy-max/ghaction-github-labeler@de749cf181958193cb7debf1a9c5bb28922f3e1b # v5.0.0
         with:
           github-token: ${{ secrets.TOKEN }}
           yaml-file: .github/labels.yaml

diff --git a/.github/workflows/hassfest.yaml b/.github/workflows/hassfest.yaml
@@ -20,14 +20,24 @@ jobs:
     name: "HACS Validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: HACS Action
-        uses: hacs/action@main
+        uses: hacs/action@70694a570839431b5c69ff0eba599a213dc7a43b # main
         with:
           category: "integration"
   validate_hassfest:
     name: "Hassfest Validation"
     runs-on: "ubuntu-latest"
     steps:
-      - uses: actions/checkout@v4
-      - uses: home-assistant/actions/hassfest@master
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: home-assistant/actions/hassfest@b227dff9ccf75101173b686878bc63852de8ea46 # master
diff --git a/.github/workflows/issue-auto.yaml b/.github/workflows/issue-auto.yaml
@@ -11,11 +11,16 @@ jobs:
   titlePrefixCheck:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write  # for peter-evans/close-issue to close issues
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - if: contains(github.event.issue.title, 'Logout') || contains(github.event.issue.title, 'app')
         name: Close Issue
-        uses: peter-evans/close-issue@v3
+        uses: peter-evans/close-issue@276d7966e389d888f011539a86c8920025ea0626 # v3.0.1
         with:
           comment: |
             [# Workaround for logout in the Xplora® App](https://github.com/Ludy87/xplora_watch/issues/24)

diff --git a/.github/workflows/issue-lock.yaml b/.github/workflows/issue-lock.yaml
@@ -18,7 +18,12 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: dessant/lock-threads@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ secrets.TOKEN }}
           add-issue-labels: "outdated"

diff --git a/.github/workflows/label-actions.yaml b/.github/workflows/label-actions.yaml
@@ -19,6 +19,11 @@ jobs:
       pull-requests: write
       discussions: write
     steps:
-      - uses: dessant/label-actions@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: dessant/label-actions@102faf474a544be75fbaf4df54e73d3c515a0e65 # v4.0.1
         with:
           config-path: .github/label-actions.yaml
diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml
@@ -16,10 +16,15 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4.1.6
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Check if Pull Request
         id: check_pr
         run: echo "is_pull_request=${{ github.event_name == 'pull_request' }}" >> $GITHUB_ENV
       - if: env.is_pull_request == 'true'
         name: Merge
-        uses: Ludy87/action/merge@v1.0.7
+        uses: Ludy87/action/merge@d5cd9da51b4f77739b9b399d5a855b26905c3143 # v1.0.7
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -17,12 +17,17 @@ jobs:
       contents: write
       attestations: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
       - name: Set up Python 3
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
           python-version: |
             3.12

diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -12,10 +12,16 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - name: X days stale issues
-        uses: actions/stale@v9
+        uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

diff --git a/.github/workflows/unlock-reopened.yaml b/.github/workflows/unlock-reopened.yaml
@@ -12,6 +12,11 @@ jobs:
     name: Unlock Reopened
     runs-on: ubuntu-latest
     steps:
-      - uses: OSDKDev/unlock-issues@v1
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: OSDKDev/unlock-issues@b06b7f7e5c3f2eaa1c6d5d89f40930e4d6d9699e # v1
         with:
           repo-token: "${{ secrets.TOKEN }}"
diff --git a/.github/workflows/update_hacs.yaml b/.github/workflows/update_hacs.yaml
@@ -18,5 +18,10 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: actions/checkout@v4.1.6
-      - uses: Ludy87/action/update_hacs_hassio@v1.0.7
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: Ludy87/action/update_hacs_hassio@d5cd9da51b4f77739b9b399d5a855b26905c3143 # v1.0.7
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -37,6 +37,8 @@ repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
       - id: check-executables-have-shebangs
         stages: [manual]
       - id: check-json
@@ -65,3 +67,7 @@ repos:
     rev: v8.22.0
     hooks:
       - id: gitleaks
+  - repo: https://github.com/pylint-dev/pylint
+    rev: v2.17.2
+    hooks:
+      - id: pylint