diff --git a/.github/workflows/acceptance-workflow.yml b/.github/workflows/acceptance-workflow.yml index 2ec6bb5ec..5849bcc3a 100644 --- a/.github/workflows/acceptance-workflow.yml +++ b/.github/workflows/acceptance-workflow.yml @@ -43,7 +43,7 @@ jobs: runs-on: smart-contracts-linux-large timeout-minutes: 50 permissions: - contents: write + contents: read actions: read # issues: read env: diff --git a/.github/workflows/charts.yml b/.github/workflows/charts.yml index 23eefb23f..6aeff96c1 100644 --- a/.github/workflows/charts.yml +++ b/.github/workflows/charts.yml @@ -11,6 +11,9 @@ concurrency: group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/conformity-workflow.yml b/.github/workflows/conformity-workflow.yml index 4da57bc94..8d91d51c7 100644 --- a/.github/workflows/conformity-workflow.yml +++ b/.github/workflows/conformity-workflow.yml @@ -7,6 +7,9 @@ on: branches: [main, release/**] tags: [v*] +permissions: + contents: read + jobs: clone-and-build-execution-apis: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/dapp.yml b/.github/workflows/dapp.yml index 3d85f22ce..308905f62 100644 --- a/.github/workflows/dapp.yml +++ b/.github/workflows/dapp.yml @@ -11,6 +11,9 @@ concurrency: group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: setup-local-hedera: name: Dapp Tests diff --git a/.github/workflows/dev-tool-workflow.yml b/.github/workflows/dev-tool-workflow.yml index ed267085a..94bfd3a69 100644 --- a/.github/workflows/dev-tool-workflow.yml +++ b/.github/workflows/dev-tool-workflow.yml @@ -10,6 +10,9 @@ on: required: true type: string +permissions: + contents: read + jobs: dev-tool-workflow: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/flow-pr-title-check.yml b/.github/workflows/flow-pr-title-check.yml index 12f91883a..f6e858291 100644 --- a/.github/workflows/flow-pr-title-check.yml +++ b/.github/workflows/flow-pr-title-check.yml @@ -28,6 +28,9 @@ defaults: run: shell: bash +permissions: + contents: read + concurrency: group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml index 5c20840a9..127d80898 100644 --- a/.github/workflows/image-build.yml +++ b/.github/workflows/image-build.yml @@ -7,6 +7,9 @@ on: env: OWNER: hashgraph +permissions: + contents: read + jobs: build: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/postman.yml b/.github/workflows/postman.yml index c38598e80..06ef48641 100644 --- a/.github/workflows/postman.yml +++ b/.github/workflows/postman.yml @@ -11,6 +11,9 @@ concurrency: group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true +permissions: + contents: read + jobs: setup-local-hedera: name: Postman Endpoint Tests diff --git a/.github/workflows/pr-label-milestone-check.yml b/.github/workflows/pr-label-milestone-check.yml index 94191f1e4..ed23b8487 100644 --- a/.github/workflows/pr-label-milestone-check.yml +++ b/.github/workflows/pr-label-milestone-check.yml @@ -6,9 +6,14 @@ on: jobs: check_pr: - runs-on: ubuntu-latest + runs-on: smart-contracts-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2.7.0 diff --git a/.github/workflows/release-acceptance.yml b/.github/workflows/release-acceptance.yml index cab5f2df7..5a293dee3 100644 --- a/.github/workflows/release-acceptance.yml +++ b/.github/workflows/release-acceptance.yml @@ -13,6 +13,9 @@ on: required: true default: 'v0.40.0' +permissions: + contents: read + jobs: release-acceptance-test: runs-on: smart-contracts-linux-medium @@ -26,21 +29,24 @@ jobs: egress-policy: audit - name: Authenticate + env: + HEDERA_PORTAL_USER: ${{ secrets.HEDERA_PORTAL_USER }} + HEDERA_PORTAL_PASSWORD: ${{ secrets.HEDERA_PORTAL_PASSWORD }} run: | - RESPONSE=$(jq --null-input -r --arg USER "${{ secrets.HEDERA_PORTAL_USER }}" --arg PASS "${{ secrets.HEDERA_PORTAL_PASSWORD }}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session) - echo "::add-mask::$RESPONSE" - echo "The response was: $RESPONSE" - ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)" - echo "::add-mask::$ACCOUNTS_JSON" - TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum') - echo "The testnet account is: $TESTNET_ACCOUNT" - PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey') - echo "The publicKey is: $PUBLIC_KEY" - PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey') - echo "::add-mask::$PRIVATE_KEY" - echo "The privateKey is: $PRIVATE_KEY" - echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV - echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV + RESPONSE=$(jq --null-input -r --arg USER "${HEDERA_PORTAL_USER}" --arg PASS "${HEDERA_PORTAL_PASSWORD}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session) + echo "::add-mask::$RESPONSE" + echo "The response was: $RESPONSE" + ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)" + echo "::add-mask::$ACCOUNTS_JSON" + TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum') + echo "The testnet account is: $TESTNET_ACCOUNT" + PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey') + echo "The publicKey is: $PUBLIC_KEY" + PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey') + echo "::add-mask::$PRIVATE_KEY" + echo "The privateKey is: $PRIVATE_KEY" + echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV + echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV - name: Setup node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 diff --git a/.github/workflows/release-integration.yml b/.github/workflows/release-integration.yml index bf9023218..d756cd9c3 100644 --- a/.github/workflows/release-integration.yml +++ b/.github/workflows/release-integration.yml @@ -9,6 +9,9 @@ env: OWNER: hashgraph REGISTRY: ghcr.io +permissions: + contents: read + jobs: publish: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/release-production.yml b/.github/workflows/release-production.yml index 5cc1f6ce0..894cb29ae 100644 --- a/.github/workflows/release-production.yml +++ b/.github/workflows/release-production.yml @@ -9,6 +9,9 @@ env: PACKAGE_NAME: hedera-json-rpc-relay REGISTRY: ghcr.io +permissions: + contents: read + jobs: docker-image-publish: runs-on: smart-contracts-linux-medium diff --git a/.github/workflows/subgraph.yml b/.github/workflows/subgraph.yml index f36676ad2..310358744 100644 --- a/.github/workflows/subgraph.yml +++ b/.github/workflows/subgraph.yml @@ -10,6 +10,9 @@ on: concurrency: group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true + +permissions: + contents: read jobs: subgraph-workflow: