From 3087eedf0e9fdd72eea7e0490cb6f6718e242b89 Mon Sep 17 00:00:00 2001
From: Nick Banks <nibanks@microsoft.com>
Date: Fri, 25 Mar 2022 14:00:06 -0400
Subject: [PATCH] Initial OSSF Scorecard Support (#817)

* Initial OSSF Scorecard Support

* Default some permissions to read

* Try to default read-all instead

Co-authored-by: Dave Thaler <dthaler@microsoft.com>
---
 .github/workflows/bpf2c-test.yml          |  9 ++--
 .github/workflows/build.yml               | 11 +++--
 .github/workflows/codeql-analysis.yml     | 11 +++--
 .github/workflows/driver_test_vm.yml      | 17 ++++---
 .github/workflows/scorecards-analysis.yml | 54 +++++++++++++++++++++++
 .github/workflows/update-docs.yml         |  5 ++-
 6 files changed, 88 insertions(+), 19 deletions(-)
 create mode 100644 .github/workflows/scorecards-analysis.yml

diff --git a/.github/workflows/bpf2c-test.yml b/.github/workflows/bpf2c-test.yml
index 80ffe6f6b7..495c703336 100644
--- a/.github/workflows/bpf2c-test.yml
+++ b/.github/workflows/bpf2c-test.yml
@@ -5,12 +5,15 @@ name: "bpf2c-test"
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
         submodules: 'recursive'
 
@@ -31,11 +34,11 @@ jobs:
       working-directory: ${{env.GITHUB_WORKSPACE}}
       run: |
         rm -rf include/asm include/linux
-    
+
     - name: Build & run tests
       working-directory: ${{env.GITHUB_WORKSPACE}}
       run: |
         cd tests/bpf2c_tests
         make
         ./bpf2c_tests -s
-        
+
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 47b82d1b63..9c8564c9ed 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,6 +7,9 @@ name: MSBuild
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -25,12 +28,12 @@ jobs:
       BUILD_PLATFORM: x64
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
         submodules: 'recursive'
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v1
+      uses: microsoft/setup-msbuild@becb80cf9a036187bb1e07e74eb64e25850d757a
 
     - name: Install ProcDump64
       working-directory: ${{env.GITHUB_WORKSPACE}}
@@ -74,7 +77,7 @@ jobs:
       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} /p:Analysis='True' ${{env.SOLUTION_FILE_PATH}}
 
     - name: Upload Build Output
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
       with:
         name: Build x64 ${{ matrix.configurations }}
         path: ${{ github.workspace }}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
@@ -93,7 +96,7 @@ jobs:
       run: if (Test-Path *.dmp) { exit 1 }
 
     - name: Upload any crash dumps
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
       if: failure()
       with:
         name: Crash-Dumps-${{env.BUILD_PLATFORM}}-${{env.BUILD_CONFIGURATION}}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 4e12a535c1..8e36f84ad0 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: '00 21 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -29,13 +32,13 @@ jobs:
         language: [ 'cpp' ]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
         submodules: 'recursive'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -44,7 +47,7 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v1
+      uses: microsoft/setup-msbuild@becb80cf9a036187bb1e07e74eb64e25850d757a
 
     - name: Install LLVM and Clang
       working-directory: ${{env.GITHUB_WORKSPACE}}
@@ -74,4 +77,4 @@ jobs:
       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} ${{env.SOLUTION_FILE_PATH}}
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c
diff --git a/.github/workflows/driver_test_vm.yml b/.github/workflows/driver_test_vm.yml
index 65aee254cb..f0b401d8b2 100644
--- a/.github/workflows/driver_test_vm.yml
+++ b/.github/workflows/driver_test_vm.yml
@@ -11,6 +11,9 @@ name: Kernel_Test_VM
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   build_job:
     strategy:
@@ -29,12 +32,12 @@ jobs:
       BUILD_PLATFORM: x64
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
         submodules: 'recursive'
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v1
+      uses: microsoft/setup-msbuild@becb80cf9a036187bb1e07e74eb64e25850d757a
 
     - name: Install LLVM and Clang
       working-directory: ${{env.GITHUB_WORKSPACE}}
@@ -62,7 +65,7 @@ jobs:
       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform=${{env.BUILD_PLATFORM}} ${{env.SOLUTION_FILE_PATH}}
 
     - name: Upload Build Output
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
       with:
         name: Build x64 ${{ matrix.configurations }}
         path: ${{ github.workspace }}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
@@ -80,12 +83,12 @@ jobs:
       BUILD_PLATFORM: x64
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
         ref: ${{ github.event.workflow_run.head_branch }}
 
     - name: Wait for build to succeed
-      uses: fountainhead/action-wait-for-check@v1.0.0
+      uses: fountainhead/action-wait-for-check@507b029e31edbe1a72d4de429476e1f4efe98869
       id: wait-for-build
       with:
         timeoutSeconds: 1500
@@ -96,7 +99,7 @@ jobs:
 
     - name: Download build artifact
       if: success()
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
       with:
         name: Build x64 ${{ matrix.configurations }}
         path: ${{ github.workspace }}/${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}
@@ -119,7 +122,7 @@ jobs:
 
     - name: Upload log files
       if: always()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2
       with:
         name: Test-Logs-${{env.BUILD_PLATFORM}}-${{env.BUILD_CONFIGURATION}}
         path: ./${{env.BUILD_PLATFORM}}/${{env.BUILD_CONFIGURATION}}/TestLogs
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
new file mode 100644
index 0000000000..bf4c8c801d
--- /dev/null
+++ b/.github/workflows/scorecards-analysis.yml
@@ -0,0 +1,54 @@
+name: Scorecards
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@b614d455ee90608b5e36e3299cd50d457eb37d5f # Don't update this until they fix PR support
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Read-only PAT token. To create it,
+          # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+          repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+          # Publish the results to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`,
+          # regardless of the value entered here.
+          publish_results: ${{ github.event_name != 'pull_request' }}
+
+      # Upload the results as artifacts (optional).
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@f5d822707ee6e8fb81b04a5c0040b736da22e587
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
index a5f7bf66b2..da442401a1 100644
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -18,9 +18,12 @@ on:
   push:
     branches: [ main ]
 
+permissions: read-all
 
 jobs:
   build:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
 
     steps:
@@ -29,7 +32,7 @@ jobs:
       run: |
         sudo apt install doxygen
 
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
 
     - name: Clone docs
       run: |