[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

.github/dependabot.yml

@@ -0,0 +1,96 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /app
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /backend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /docker-extension
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /e2e-tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /frontend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /load-tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/app-menus
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/change-logo
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/cluster-chooser
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/details-view
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/dynamic-clusters
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/headlamp-events
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/pod-counter
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/sidebar
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/examples/tables
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/headlamp-plugin
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/headlamp-plugin/template
+    schedule:
+      interval: daily

.github/workflows/app-artifacts-linux.yml

@@ -18,14 +18,19 @@ jobs:
       actions: write # needed to upload artifacts
       contents: write
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         ref: ${{ github.event.inputs.buildBranch }}
     - name: Setup nodejs
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 20.x
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
     - name: App linux
@@ -35,21 +40,21 @@ jobs:
       run: |
         FILE_PATH=$(echo app/dist/Headlamp*x86_64*.AppImage); mv ${FILE_PATH} $(echo ${FILE_PATH}|sed s/x86_64/x64/)
     - name: Upload Tarball artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Tarballs
         path: ./app/dist/Headlamp*.tar.*
         if-no-files-found: error
         retention-days: 1
     - name: Upload AppImage artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: AppImages
         path: ./app/dist/Headlamp*.AppImage
         if-no-files-found: error
         retention-days: 1
     - name: Upload Debian artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Debian
         path: ./app/dist/headlamp*.deb

.github/workflows/app-artifacts-mac.yml

@@ -22,18 +22,23 @@ jobs:
       contents: read
       actions: write # needed to upload artifacts
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         ref: ${{ github.event.inputs.buildBranch }}
     - name: Setup nodejs
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 20.x
         cache: 'npm'
         cache-dependency-path: |
           app/package-lock.json
           frontend/package-lock.json
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
         cache-dependency-path: |
@@ -60,7 +65,7 @@ jobs:
       run: |
         xcrun stapler staple ./app/dist/Headlamp*.dmg
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
         path: ./app/dist/Headlamp*.dmg
@@ -74,25 +79,30 @@ jobs:
     needs: build-mac
     if: ${{ inputs.signBinaries }}
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         ref: ${{ github.event.inputs.buildBranch }}
     - name: Setup nodejs
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 18.x
         cache: 'npm'
         cache-dependency-path: |
           app/package-lock.json
           frontend/package-lock.json
     - name: Download artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: dmgs
         path: ./dmgs
     - name: Azure login
       if: ${{ inputs.signBinaries }}
-      uses: azure/login@v2
+      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
       with:
         client-id: ${{ secrets.WINDOWS_CLIENT_ID }}
         tenant-id: ${{ secrets. AZ_TENANT_ID }}
@@ -132,7 +142,7 @@ jobs:
         cd ./app/scripts
         node ./esrp.js apple-notarize ../../dmgs/
     - name: Upload Notarized
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
         path: ./dmgs/Headlamp*.dmg
@@ -147,16 +157,21 @@ jobs:
       contents: read
     if: ${{ inputs.signBinaries }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
     - name: Download artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: dmgs
         path: ./dmgs
     - name: Staple
       run: |
         xcrun stapler staple ./dmgs/Headlamp*.dmg
     - name: Upload Stapled
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: dmgs
         path: ./dmgs/Headlamp*.dmg

.github/workflows/app-artifacts-win.yml

@@ -23,34 +23,39 @@ jobs:
       actions: write # needed to upload artifacts
     runs-on: windows-2022
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         path: build-helper
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: headlamp-k8s/headlamp
         ref: ${{ github.event.inputs.buildBranch }}
         path: headlamp
     - name: Setup nodejs
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: 20.x
         cache: 'npm'
         cache-dependency-path: |
           headlamp/app/package-lock.json
           headlamp/frontend/package-lock.json
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
         cache-dependency-path: |
           headlamp/backend/go.sum
     - name: Dependencies
-      uses: crazy-max/ghaction-chocolatey@v1
+      uses: crazy-max/ghaction-chocolatey@e80bd39bb49cae70b67ea53d52d00833a7255c21 # v1.7.0
       with:
         args: install make
     - name: Azure login
       if: ${{ inputs.signBinaries }}
-      uses: azure/login@v2
+      uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
       with:
         client-id: ${{ secrets.WINDOWS_CLIENT_ID }}
         tenant-id: ${{ secrets.AZ_TENANT_ID }}
@@ -89,7 +94,7 @@ jobs:
         make app-win
 
     - name: Upload artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: Win exes
         path: ./headlamp/app/dist/Headlamp*.*

.github/workflows/app.yml

@@ -28,12 +28,17 @@ jobs:
       matrix:
         node-version: [20.x]
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: ${{ matrix.node-version }}
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
     - name: App linux
@@ -45,16 +50,21 @@ jobs:
       matrix:
         node-version: [20.x]
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: ${{ matrix.node-version }}
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
     - name: Dependencies
-      uses: crazy-max/ghaction-chocolatey@v1
+      uses: crazy-max/ghaction-chocolatey@e80bd39bb49cae70b67ea53d52d00833a7255c21 # v1.7.0
       with:
         args: install make
     - name: App Windows
@@ -65,12 +75,17 @@ jobs:
       matrix:
         node-version: [20.x]
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
         node-version: ${{ matrix.node-version }}
-    - uses: actions/setup-go@v5
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.22.*'
     - name: Dependencies

.github/workflows/backend-test.yml

@@ -17,11 +17,16 @@ jobs:
     permissions:
       issues: write # needed for commenting on PRs for coverage changes
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.22.*'
 
@@ -31,7 +36,7 @@ jobs:
           go mod download
     
       - name: Start cluster
-        uses: medyagh/setup-minikube@latest
+        uses: medyagh/setup-minikube@d8c0eb871f6f455542491d86a574477bd3894533 # latest
 
       - name: Check cluster status and enable headlamp addon
         run: |