diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..bd62cc70 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,11 @@ +# Code Owners - Security Protection +# Any changes to .github folder require approval from these users +# This enforces that workflow/action changes must be reviewed + +# GitHub workflows and actions - Require security team approval +/.github/workflows/ @vibhutikumar07 @yashmeet29 +/.github/actions/ @vibhutikumar07 @yashmeet29 + +# All other .github files +/.github/ @vibhutikumar07 @yashmeet29 + diff --git a/.github/workflows/cfdeploy.yml b/.github/workflows/cfdeploy.yml index d15aedad..db2f3f90 100644 --- a/.github/workflows/cfdeploy.yml +++ b/.github/workflows/cfdeploy.yml @@ -33,7 +33,10 @@ permissions: jobs: Deploy: runs-on: ubuntu-latest - if: ${{ github.event.inputs.workflow_choice == 'Deploy' }} + # Security: Only run Deploy in original repo, not forks + if: | + github.repository == 'cap-java/sdm' && + github.event.inputs.workflow_choice == 'Deploy' steps: - name: Checkout repository 📁 @@ -129,7 +132,10 @@ jobs: SnapshotDeploy: runs-on: ubuntu-latest - if: ${{ github.event.inputs.workflow_choice == 'Snapshot Deploy' }} + # Security: Only run Snapshot Deploy in original repo, not forks + if: | + github.repository == 'cap-java/sdm' && + github.event.inputs.workflow_choice == 'Snapshot Deploy' steps: - name: Checkout repository 📁 diff --git a/.github/workflows/internalArticatory.yml b/.github/workflows/internalArticatory.yml index 5d3bf015..f6a50038 100644 --- a/.github/workflows/internalArticatory.yml +++ b/.github/workflows/internalArticatory.yml @@ -14,6 +14,8 @@ on: jobs: build-and-deploy-artifactory: runs-on: ubuntu-latest + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' permissions: contents: read steps: diff --git a/.github/workflows/main-build-and-deploy-oss.yml b/.github/workflows/main-build-and-deploy-oss.yml index 30661c4f..fcc9f705 100644 --- a/.github/workflows/main-build-and-deploy-oss.yml +++ b/.github/workflows/main-build-and-deploy-oss.yml @@ -8,10 +8,16 @@ on: release: types: [ "released" ] +permissions: + contents: write + packages: write + jobs: update-version: runs-on: ubuntu-latest + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' #needs: blackduck steps: @@ -87,6 +93,15 @@ jobs: name: Deploy to Maven Central runs-on: ubuntu-latest needs: build + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' + # Require manual approval before deploying to Maven Central + environment: + name: maven-central-production + url: https://central.sonatype.com/ + permissions: + contents: read + packages: write steps: - name: Download artifact uses: actions/download-artifact@v7 diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml index c031f2f4..3e011190 100644 --- a/.github/workflows/main-build.yml +++ b/.github/workflows/main-build.yml @@ -32,6 +32,8 @@ jobs: name: Update version runs-on: ubuntu-latest needs: [ build ] + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' permissions: contents: write packages: write diff --git a/.github/workflows/multiTenancyDeployLocal.yml b/.github/workflows/multiTenancyDeployLocal.yml index 2cb1e8ea..3c2d2744 100644 --- a/.github/workflows/multiTenancyDeployLocal.yml +++ b/.github/workflows/multiTenancyDeployLocal.yml @@ -18,11 +18,14 @@ on: default: '' permissions: + contents: read pull-requests: read packages: read # Added permission to read packages jobs: deploy: + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/multiTenant_deploy_and_Integration_test.yml b/.github/workflows/multiTenant_deploy_and_Integration_test.yml index d658af72..e4b031ff 100644 --- a/.github/workflows/multiTenant_deploy_and_Integration_test.yml +++ b/.github/workflows/multiTenant_deploy_and_Integration_test.yml @@ -15,7 +15,10 @@ permissions: jobs: deploy: - if: github.event.pull_request.merged == true + # Security: Only run if PR merged AND not from a fork + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: diff --git a/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml b/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml index e00f7fe3..f3908c3c 100644 --- a/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml +++ b/.github/workflows/multiTenant_deploy_and_Integration_test_LatestVersion.yml @@ -10,13 +10,16 @@ on: workflow_dispatch: permissions: + contents: read pull-requests: read packages: read # Added permission to read packages jobs: deploy: - #Run only if the triggering workflow concluded successfully - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + # Security: Run only if workflow succeeded AND not from a fork + if: | + github.repository == 'cap-java/sdm' && + (github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_deploy_and_Integration_test.yml b/.github/workflows/singleTenant_deploy_and_Integration_test.yml index 341798b9..722a2ba4 100644 --- a/.github/workflows/singleTenant_deploy_and_Integration_test.yml +++ b/.github/workflows/singleTenant_deploy_and_Integration_test.yml @@ -14,7 +14,10 @@ permissions: jobs: deploy: - if: github.event.pull_request.merged == true + # Security: Only run if PR merged AND not from a fork + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml b/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml index 1c606ef1..838089ed 100644 --- a/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml +++ b/.github/workflows/singleTenant_deploy_and_Integration_test_LatestVersion.yml @@ -16,8 +16,10 @@ permissions: jobs: deploy: - # Run only if the triggering workflow concluded successfully - if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + # Security: Run only if workflow succeeded AND not from a fork + if: | + github.repository == 'cap-java/sdm' && + (github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch') runs-on: ubuntu-latest steps: diff --git a/.github/workflows/singleTenant_integration_test.yml b/.github/workflows/singleTenant_integration_test.yml index 78974714..55f03425 100644 --- a/.github/workflows/singleTenant_integration_test.yml +++ b/.github/workflows/singleTenant_integration_test.yml @@ -11,8 +11,13 @@ on: description: 'Specify the branch to use for integration tests' required: true +permissions: + contents: read + jobs: integration-test: + # Security: Only run in original repo, not forks + if: github.repository == 'cap-java/sdm' runs-on: ubuntu-latest strategy: fail-fast: false