krombel/openstreetmap-tile-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[StepSecurity] Apply security best practices

Browse Source 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
This commit is contained in:
StepSecurity Bot
2025-08-26 13:15:43 +00:00
parent 6088b9b37f
commit 6d521cf63a
3 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/dependabot.yml vendored Normal file
View File

@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: docker
directory: /
schedule:
interval: daily

37
.github/workflows/build-and-test.yaml vendored
View File

@@ -19,6 +19,9 @@ env:
IMAGE : ${{ github.repository_owner }}/openstreetmap-tile-server IMAGE : ${{ github.repository_owner }}/openstreetmap-tile-server
TAG : ${{ github.sha }} TAG : ${{ github.sha }}
permissions:
contents: read
jobs: jobs:
build: build:
@@ -37,24 +40,29 @@ jobs:
MOUNT : /data/database/ MOUNT : /data/database/
PLATFORM : linux/${{ matrix.arch }}${{ (matrix.variant != '' && format('/{0}', matrix.variant)) || '' }} PLATFORM : linux/${{ matrix.arch }}${{ (matrix.variant != '' && format('/{0}', matrix.variant)) || '' }}
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- -
name: Checkout name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- -
name: Set up QEMU name: Set up QEMU
uses: docker/setup-qemu-action@v2 uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
with: with:
platforms: ${{ matrix.arch }} platforms: ${{ matrix.arch }}
- -
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
- -
name: Environment name: Environment
run : | run : |
echo IMAGE=$(echo ${{ env.IMAGE }} | tr '[:upper:]' '[:lower:]') >>$GITHUB_ENV echo IMAGE=$(echo ${{ env.IMAGE }} | tr '[:upper:]' '[:lower:]') >>$GITHUB_ENV
- -
name: Docker build name: Docker build
uses: docker/build-push-action@v3 uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with: with:
pull : true pull : true
load : ${{ matrix.mode == 'build-and-test' }} load : ${{ matrix.mode == 'build-and-test' }}
@@ -91,7 +99,7 @@ jobs:
- -
name: Upload tiles name: Upload tiles
if : ${{ matrix.mode == 'build-and-test' }} if : ${{ matrix.mode == 'build-and-test' }}
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
with: with:
name: tiles name: tiles
path: '*.png' path: '*.png'
@@ -130,9 +138,14 @@ jobs:
- build - build
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- -
name: Checkout name: Checkout
uses: actions/checkout@v3 uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- -
name: Environment name: Environment
run : | run : |
@@ -141,7 +154,7 @@ jobs:
- -
name: Docker meta name: Docker meta
id: meta id: meta
uses: docker/metadata-action@v4 uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
with: with:
images: | images: |
${{ env.DOCKERHUB_IMAGE }} ${{ env.DOCKERHUB_IMAGE }}
@@ -153,29 +166,29 @@ jobs:
type=semver,pattern={{major}} type=semver,pattern={{major}}
- -
name: Set up QEMU name: Set up QEMU
uses: docker/setup-qemu-action@v2 uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
with: with:
platforms: amd64,arm64 platforms: amd64,arm64
- -
name: Set up Docker Buildx name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2 uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
- -
name: Login to DockerHub name: Login to DockerHub
uses: docker/login-action@v2 uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
if: ${{ env.DOCKERHUB_IMAGE != '' }} if: ${{ env.DOCKERHUB_IMAGE != '' }}
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
- -
name: Login to GHCR name: Login to GHCR
uses: docker/login-action@v2 uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with: with:
registry : ghcr.io registry : ghcr.io
username : ${{ github.repository_owner }} username : ${{ github.repository_owner }}
password : ${{ secrets.GITHUB_TOKEN }} password : ${{ secrets.GITHUB_TOKEN }}
- -
name: Build and push name: Build and push
uses: docker/build-push-action@v3 uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
with: with:
pull : true pull : true
push : true push : true

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM ubuntu:22.04 AS compiler-common FROM ubuntu:22.04@sha256:1aa979d85661c488ce030ac292876cf6ed04535d3a237e49f61542d8e5de5ae0 AS compiler-common
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
ENV LANG C.UTF-8 ENV LANG C.UTF-8
ENV LC_ALL C.UTF-8 ENV LC_ALL C.UTF-8