Skip to content

GitHub Audit

GitHub Audit #247

Workflow file for this run

on:
workflow_dispatch:
schedule:
# Audit repos twice a day.
- cron: '0 0,12 * * *'
name: GitHub Audit
jobs:
ghaudit:
runs-on: ubuntu-latest
permissions:
contents: read # To clone the repo
id-token: write # To federate with Octo STS
steps:
- name: Harden Runner
uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
with:
egress-policy: audit
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
id: octo-sts
with:
scope: ${{ github.repository_owner }}
identity: ghaudit
- name: Deploy Keys
uses: wolfi-dev/wolfi-act@main
env:
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
with:
packages: ghaudit
command: ghaudit org -o ${{ github.repository_owner }} deploy-keys
- name: Branch Protections
uses: wolfi-dev/wolfi-act@main
env:
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
with:
packages: ghaudit
command: ghaudit org -o ${{ github.repository_owner }} branch-protections
- name: Default Permissions
uses: wolfi-dev/wolfi-act@main
env:
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
with:
packages: ghaudit
command: ghaudit org -o ${{ github.repository_owner }} default-permissions
- uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # v2.3.0
if: ${{ failure() }}
env:
SLACK_ICON: http://github.com/chainguard-dev.png?size=48
SLACK_USERNAME: guardian
SLACK_WEBHOOK: ${{ secrets.DISTROLESS_SLACK_WEBHOOK }}
SLACK_CHANNEL: '@mattmoor'
SLACK_COLOR: '#8E1600'
MSG_MINIMAL: 'true'
SLACK_TITLE: GitHub Audit of ${{ github.repository_owner }} failed.
SLACK_MESSAGE: |
For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}