ci: [2024-Q3] CI/CD Audit Story

rbarkerSL commented 3 months ago

Administrative Audit Criteria

Check Actions State

[ ] Actions are enabled
[ ] Actions are disabled

Check if Actions should be disabled

If actions have not been run in the previous 6 months they should be disabled:

[ ] Actions have run in the last 6 months and shall remain enabled
[ ] Actions have been disabled on the inactive repository

Repository Settings Checks

[ ] Repository settings are configured per organization standard
[ ] Individual branch protections are turned off
[ ] Individual tag protections are turned off
[ ] The repository uses the current rulesets
[ ] Teams are assigned to the repository
[ ] Individual contributors that are part of assigned teams are removed from contributors list
[ ] All webhooks present are needed and in use

App Integrations

If actions are enabled:

[ ] Dependabot is enabled on the repository
[ ] Codecov is enabled on the repository

Security Checks

[ ] Snyk is enabled on the repository
[ ] Dependabot is configured to monitor all relevant ecosystems
- npm
- electron
- github actions
- etc.
[ ] Secrets Management
- [ ] No hardcoded secrets in the workflow files or code
- [ ] GitHub secrets are employed to store sensitive data
- [ ] Secrets are referenced in CI via config files or environment variables
[ ] Tokens are stored securely as GitHub Secrets
[ ] Executable Path Integrity
- [ ] Integrity checks for executables are implemented
- integrity checks should use either checksums or cryptographic hashes for verification
- [ ] Checksums/hashes are verified during CI process to detect unathorized changes
- [ ] Expected checksums/hashes are stored securely and referenced through the CI pipeline
[ ] Code Coverage Reporting - Configure codecov on the repository
[ ] CodeQL is enabled on the repository
[ ] npx playwright install deps is used to install OS dependencies instead of aptitude
[ ] Code Formatting
- [ ] ESLint rules are applied to the codebase
- [ ] Prettier Formatting rules are applied to the codebase

Custom Properties

[ ] Custom properties: last-ci-review-by-team is set
[ ] Custom properties: last-ci-review-date is set (Use format: YYYY-MM-DD)

Non-Administrative Audit Criteria

Dependabot

[ ] dependabot.yml is up to date

Workflow checks

[x] Appropriate permissions are set within the github workflows
[x] All steps are named
[x] All workflow actions are using pinned commits
[x] The Step-Security Hardened Security action is enabled on each workflow job
[ ] Ensure no hard-coded keys in workflows
- [x] Alert devops-ci administrative team if new github secrets are needed to resolve hard-coded keys

Self Hosted Runners

[x] The Repository is using the latitude runner group label for the runs-on stanza

CODEOWNERS

[x] .github/CODEOWNERS is valid and up-to-date

Other

[ ] If Applicable: Alert repository owners of software versions that are no longer supported
[ ] If Applicable: Alert repository owners when software versions are within 3 months of losing support

Repository Settings

[x] Require contributors to sign off on web-based commits
[x] Features: Issues
[x] Features: Preserve this Repository
[x] Features: Discussions
[x] Features: Projects
[x] Pull Requests: Allow Squash Merging
[x] Pull Requests: Always suggest updating pull request branches
[x] Pull Requests: Automatically delete head branches
[x] Pushes: Limit how many branches and tags can be updated in a single push

Acceptance Criteria

[ ] All Audit Criteria have been met

mishomihov00 commented 2 weeks ago

@andrewb1269hg @rbarkerSL In the image-build.yaml workflow on line 51 there is a hard-coded key. Also dependabot.yaml is not created as I'm not sure if that's enough to enable dependabot checks on this repo.

mishomihov00 commented 2 weeks ago

Non-administrative checks are done. @andrewb1269hg assigning over to you.

hashgraph / hedera-json-rpc-relay