Addressing Security Concerns Raised by OpenSSF Scorecard

[NishkarshRaj]

Hey, I just made a Pull Request!

Added:

• Pinned Dependency to SHA level
• Permissions defined for GitHub Actions following PoLP

Note: This PR is modified version of #19249

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[github-actions]

Uffizzi Preview deployment-36570 was deleted.

[NishkarshRaj]

cc/ @adamdmharvey @Rugvip

[adamdmharvey]

Nice one!

As you can probably see, numerous E2E failures for the pipeline. I'm not familiar with the exact steps that the harden runner performs, but perhaps it's removing something the tests depend on? I wonder if you want to try maybe removing the harden step (like commenting it out) for the E2E action maybe causes it to run clean? if so then you can at least identify the root cause of the failure to focus more on what it does. (and then potentially split the PR into one that just does the version pin/permissions and another for harden? not sure!)

[NishkarshRaj]

Cheers for the inputs @adamdmharvey - was stuck in travelling hell past few days!

I'll rebase with master and let's see how it looks.

Post that will comment out harden runners changes.

[NishkarshRaj]

Wow! @adamdmharvey As soon as I tried commenting out the Harden runners, the docker registries are seemingly facing downtime!? 😭

Logs:

• https://github.com/backstage/backstage/actions/runs/6344165810/job/17233682142?pr=20090
• https://github.com/backstage/backstage/actions/runs/6344165814/job/17233682786?pr=20090

This is def not due to restricted permissions else we would have got 401/403 but getting 5xx

I'll recheck in a while!

[adamdmharvey]

Triggered a re-run of the failed actions; definitely passed the Docker step...

[NishkarshRaj]

Triggered a re-run of the failed actions; definitely passed the Docker step...

Cheers, 5xx must have been resolved - I'll re-trigger all pipelines and take it from there.

[NishkarshRaj]

@adamdmharvey Both E2E Testing failing due to this application level issue. This is outside scope of this PR as I've only updated the workflow files.

Any nudges on how to proceed?

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[freben]

took the liberty of rebasing to see if builds are happier

[NishkarshRaj]

took the liberty of rebasing to see if builds are happier

Thanks @freben - only 2 failures remain but I can't make sense of these logs. Can you nudge what shall I change to proceed?

[freben]

We still have some remaining windows build issues, don't worry about those.

Why is the harden runner commented out everywhere?

[NishkarshRaj]

We still have some remaining windows build issues, don't worry about those.

Why is the harden runner commented out everywhere?

Was just checking if the failed pipelines are caused by Harden Runner - not really so I will be uncommenting them now.

Will commit and leave it to you guys for best next steps :)

[benjdlambert]

Looks like something has gone awry here with the rebase, could you rebase again to just have your commits in here @NishkarshRaj? 🙏

[NishkarshRaj]

Looks like something has gone awry here with the rebase, could you rebase again to just have your commits in here @NishkarshRaj? 🙏

Oh snap! I am on it :)

[NishkarshRaj]

@freben @benjdlambert : Fixed the rebase mistake, hope this works now.

[freben]

we've put a "merge after release" label on this so we can revisit merging it after the mainline release out of an abundance of caution against getting into release problems.