Skip to content

[StepSecurity] ci: Harden GitHub Actions#713

Merged
RalphHightower merged 1 commit intoRalphHightower:mainfrom
step-security-bot:stepsecurity_remediation_1737323803
Jan 19, 2025
Merged

[StepSecurity] ci: Harden GitHub Actions#713
RalphHightower merged 1 commit intoRalphHightower:mainfrom
step-security-bot:stepsecurity_remediation_1737323803

Conversation

@step-security-bot
Copy link
Copy Markdown
Contributor

@step-security-bot step-security-bot commented Jan 19, 2025

Summary

This pull request is created by StepSecurity at the request of @RalphHightower. Please merge the Pull Request to incorporate the requested changes. Please tag @RalphHightower on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

RalphHightower
RalphHightower approved these changes Jan 19, 2025
View reviewed changes
Copy link
Copy Markdown
Owner

@RalphHightower RalphHightower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@RalphHightower RalphHightower merged commit 7e1fac0 into RalphHightower:main Jan 19, 2025
@RalphHightower RalphHightower self-assigned this Jan 19, 2025
@RalphHightower RalphHightower added ossf OpenSSF is a community of software developers and security engineers step-security Secure your GitHub Actions with StepSecurity: Your Trusted CI/CD Security Partner labels Jan 19, 2025
@RalphHightower
Copy link
Copy Markdown
Owner

RalphHightower commented Jan 19, 2025 

Run bundle exec jekyll build --trace --incremental --baseurl "/blog"
  bundle exec jekyll build --trace --incremental --baseurl "/blog"
  shell: /usr/bin/bash -e {0}
  env:
    GITHUB_PAGES: true
    JEKYLL_ENV: production
    JEKYLL_GITHUB_TOKEN: 
    LOG_LEVEL: debug
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
Configuration file: /home/runner/work/blog/blog/_config.yml
            Source: /home/runner/work/blog/blog
       Destination: /home/runner/work/blog/blog/_site
 Incremental build: enabled
      Generating... 
  AI Related Posts: Creating cache [.ai_related_posts_cache.sqlite3]
bundler: failed to load command: jekyll (/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll)
/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_extension': libblas.so.3: cannot open shared object file: No such file or directory (RuntimeError)
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_vss'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:19:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:194:in `setup_database'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:19:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:193:in `block in generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:79:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:28:in `process_site'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:65:in `build'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:36:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `block in process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:18:in `block (2 levels) in init_with_program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `block in execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/program.rb:44:in `go'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary.rb:21:in `program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/exe/jekyll:15:in `<top (required)>'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `kernel_load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:23:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:455:in `exec'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/command.rb:28:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor.rb:527:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:35:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/base.rb:584:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:29:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:28:in `block in <top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/friendly_errors.rb:117:in `with_friendly_errors'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:20:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `<main>'
Error: Process completed with exit code 1.

@RalphHightower RalphHightower added the action – failure Failure during an Action label Jan 19, 2025
@github-actions github-actions bot deleted the stepsecurity_remediation_1737323803 branch September 14, 2025 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RalphHightower RalphHightower RalphHightower approved these changes

Assignees

@RalphHightower RalphHightower

Labels

action – failure Failure during an Action ossf OpenSSF is a community of software developers and security engineers step-security Secure your GitHub Actions with StepSecurity: Your Trusted CI/CD Security Partner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@step-security-bot @RalphHightower