security: harden OpenSSF Scorecard compliance

- Pin all GitHub Actions by SHA hash (Pinned-Dependencies) - Add top-level permissions: read-all (Token-Permissions) - Add explicit job-level permissions (least privilege) - Add OpenSSF Scorecard workflow with weekly schedule - Publish scorecard results to scorecard.dev and GitHub Security tab
2026-04-12 09:10:32 +00:00 · 2026-03-17 10:30:15 +00:00
parent 8646926294
commit 7df118d488
3 changed files with 76 additions and 42 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ on:
  push:
    tags: ['v*']

+permissions: read-all
+
 env:
  REGISTRY: ghcr.io
  NORA: localhost:5000
@@ -18,7 +20,7 @@ jobs:
      packages: write

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set up Rust
        run: |
@@ -32,19 +34,19 @@ jobs:
          cp target/x86_64-unknown-linux-musl/release/nora ./nora

      - name: Upload binary artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        with:
          name: nora-binary-${{ github.run_id }}
          path: ./nora
          retention-days: 1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          driver-opts: network=host

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -53,7 +55,7 @@ jobs:
      # ── Alpine ───────────────────────────────────────────────────────────────
      - name: Extract metadata (alpine)
        id: meta-alpine
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -64,7 +66,7 @@ jobs:
            type=raw,value=latest

      - name: Build and push (alpine)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          file: Dockerfile
@@ -78,7 +80,7 @@ jobs:
      # ── RED OS ───────────────────────────────────────────────────────────────
      - name: Extract metadata (redos)
        id: meta-redos
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -90,7 +92,7 @@ jobs:
            type=raw,value=redos

      - name: Build and push (redos)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          file: Dockerfile.redos
@@ -104,7 +106,7 @@ jobs:
      # ── Astra Linux SE ───────────────────────────────────────────────────────
      - name: Extract metadata (astra)
        id: meta-astra
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: |
            ${{ env.NORA }}/${{ env.IMAGE_NAME }}
@@ -116,7 +118,7 @@ jobs:
            type=raw,value=astra

      - name: Build and push (astra)
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          file: Dockerfile.astra
@@ -165,7 +167,7 @@ jobs:
        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT

      - name: Trivy — image scan (${{ matrix.name }})
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
        with:
          scan-type: image
          image-ref: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}${{ matrix.suffix }}
@@ -175,7 +177,7 @@ jobs:
          exit-code: 1

      - name: Upload Trivy image results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
        if: always()
        with:
          sarif_file: trivy-image-${{ matrix.name }}.sarif
@@ -190,14 +192,14 @@ jobs:
      packages: read

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Set version tag (strip leading v)
        id: ver
        run: echo "tag=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT

      - name: Download binary artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          name: nora-binary-${{ github.run_id }}
          path: ./artifacts
@@ -211,21 +213,21 @@ jobs:
          cat nora-linux-amd64.sha256

      - name: Generate SBOM (SPDX)
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
        with:
          image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
          format: spdx-json
          output-file: nora-${{ github.ref_name }}.sbom.spdx.json

      - name: Generate SBOM (CycloneDX)
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
        with:
          image: ${{ env.NORA }}/${{ env.IMAGE_NAME }}:${{ steps.ver.outputs.tag }}
          format: cyclonedx-json
          output-file: nora-${{ github.ref_name }}.sbom.cdx.json

      - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        with:
          generate_release_notes: true
          files: |