diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 6347e9da6..b89c2e07b 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,30 @@ # Default code owners for entire repository -* @SimiHunjan @ochikov @petreze @svetoslav-nikol0v @agadzhalov +* @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers + +######################### +##### Core Files ###### +######################### + +# NOTE: Must be placed last to ensure enforcement over all other rules + +# Protection Rules for Github Configuration Files and Actions Workflows +/.github/ @hashgraph/release-engineering @hashgraph/release-engineering-managers +/.github/workflows/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers + +# Codacy Tool Configurations +/config/ @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers +.remarkrc @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers + +# Self-protection for root CODEOWNERS files (this file should not exist and should definitely require approval) +/CODEOWNERS @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# Protect the repository root files +/README.md @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers +**/LICENSE @hashgraph/release-engineering @hashgraph/release-engineering-managers + +# CodeCov configuration +**/codecov.yml @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers + +# Git Ignore definitions +**/.gitignore @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers +**/.gitignore.* @hashgraph/release-engineering @hashgraph/release-engineering-managers @hashgraph/hedera-sdk @hashgraph/hedera-sdk-js-maintainers diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 033bb32ac..2b1ea4547 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -28,6 +28,11 @@ jobs: node: [ "16", "18" ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -60,6 +65,11 @@ jobs: node: [ "16" ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -104,7 +114,7 @@ jobs: run: | npx @hashgraph/hedera-local start -d --network-tag=0.49.7 --balance=100000 # Wait for the network to fully start - sleep 30 + sleep 30 - name: Run Hedera SDK Integration Tests Codecov if: ${{ steps.build-sdk.conclusion == 'success' && steps.start-local-node.conclusion == 'success' && !cancelled() && always() }} diff --git a/.github/workflows/common_js.yml b/.github/workflows/common_js.yml index 6807171e2..74c202ec9 100644 --- a/.github/workflows/common_js.yml +++ b/.github/workflows/common_js.yml @@ -27,6 +27,11 @@ jobs: node: [ "16", "18" ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 1aba637c9..412878805 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -17,6 +17,11 @@ jobs: name: Documentation runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/publish_release.yaml b/.github/workflows/publish_release.yaml index b5c8ef9c3..b76b7bc8e 100644 --- a/.github/workflows/publish_release.yaml +++ b/.github/workflows/publish_release.yaml @@ -32,6 +32,11 @@ jobs: prerelease: ${{ steps.tag.outputs.prerelease }} type: ${{ steps.tag.outputs.type }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -64,19 +69,19 @@ jobs: run: | REF_NAME="$(git describe --exact-match --tags $(git log -n1 --pretty='%h'))" IS_VALID_SEMVER="$(semver validate "${REF_NAME}")" - + if [[ "${IS_VALID_SEMVER}" != "valid" ]]; then echo "::error title=Invalid Tag::The tag '${REF_NAME}' is not a valid SemVer tag." exit 1 fi - + RELEASE_VERSION="$(semver get release "${REF_NAME}")" PREREL_VERSION="$(semver get prerel "${REF_NAME}")" PREREL_VERSION_LC="$(printf "%s" "${PREREL_VERSION}" | tr '[:upper:]' '[:lower:]')" IS_PRERELEASE="false" [[ -n "${PREREL_VERSION}" ]] && IS_PRERELEASE="true" - + PREREL_TYPE="unknown" if [[ "${IS_PRERELEASE}" == "true" ]]; then if [[ "${PREREL_VERSION_LC}" =~ "beta" ]]; then @@ -87,12 +92,12 @@ jobs: else PREREL_TYPE="production" fi - + FINAL_VERSION="${RELEASE_VERSION}" [[ -n "${PREREL_VERSION}" ]] && FINAL_VERSION="${RELEASE_VERSION}-${PREREL_VERSION}" - + TAG_NAME="v${FINAL_VERSION}" - + echo "name=${TAG_NAME}" >>"${GITHUB_OUTPUT}" echo "version=${FINAL_VERSION}" >>"${GITHUB_OUTPUT}" echo "prerelease=${IS_PRERELEASE}" >>"${GITHUB_OUTPUT}" @@ -105,7 +110,7 @@ jobs: echo "::error title=Version Mismatch::The version in package.json (${{ steps.npm-package.outputs.version }}) does not match the version in the tag (${{ steps.tag.outputs.version }})." exit 1 fi - + if [[ "${{ steps.tag.outputs.type }}" != "production" && "${{ steps.tag.outputs.type }}" != "beta" ]]; then echo "::error title=Unsupported PreRelease::The tag '${{ steps.tag.outputs.name }}' is an unsupported prerelease tag. Only 'beta' prereleases are supported." exit 2 @@ -120,6 +125,11 @@ jobs: name: Safety Checks runs-on: [self-hosted, Linux, medium, ephemeral] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -150,6 +160,11 @@ jobs: - validate-release - run-safety-checks steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -209,7 +224,7 @@ jobs: PUBLISH_ARGS="--access public --no-git-checks" [[ "${{ github.event.inputs.dry-run-enabled }}" == "true" ]] && PUBLISH_ARGS="${PUBLISH_ARGS} --dry-run" [[ "${{ needs.validate-release.outputs.prerelease }}" == "true" ]] && PUBLISH_ARGS="${PUBLISH_ARGS} --tag ${{ needs.validate-release.outputs.type }}" - + echo "args=${PUBLISH_ARGS}" >>"${GITHUB_OUTPUT}" # Add the registry authentication stanza with variable substitution to the .npmrc configuration file. echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' >>".npmrc" diff --git a/.github/workflows/react_native.yml b/.github/workflows/react_native.yml index efb2a2c70..64130958a 100644 --- a/.github/workflows/react_native.yml +++ b/.github/workflows/react_native.yml @@ -13,6 +13,10 @@ on: - develop - release/* +defaults: + run: + shell: bash + permissions: contents: read @@ -21,6 +25,11 @@ jobs: name: Android runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -77,6 +86,11 @@ jobs: name: iOS runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 86ea2ba45..6edbe2ae0 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -4,6 +4,7 @@ on: # The "*" (#42, asterisk) character has special semantics in YAML, so this # string has to be quoted. - cron: '0 0 * * 0' + workflow_dispatch: defaults: run: @@ -14,8 +15,13 @@ permissions: jobs: renovate: - runs-on: ubuntu-latest + runs-on: [ self-hosted, Linux, medium, ephemeral ] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: