sample-code-for-a-secure-vault-using-aws-nitro-enclaves/.github/workflows/secure_workflows.yml at fdc3f6f663b6dae3a92d038183033ff3fd11d08f · aws-samples/sample-code-for-a-secure-vault-using-aws-nitro-enclaves · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: Lockdown untrusted workflows

# PROCESS
#
# 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3)
# 2. Scans for insecure practices for inline bash scripts (shellcheck)
# 3. Fail CI and prevent PRs to be merged if any malpractice is found

# USAGE
#
# Always triggered on new PR, PR changes and PR merge.

on:
  push:
    paths:
      - ".github/workflows/**"
  pull_request:
    paths:
      - ".github/workflows/**"

permissions:
  contents: read

jobs:
  enforce_pinned_workflows:
    name: Harden Security
    if: github.repository_owner == 'aws-samples'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
      - name: Ensure 3rd party workflows have SHA pinned
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0