Add semver-checks.yml

[atuchin-m]

No description provided.

[github-actions]

_{reported by reviewdog 🐶}
[opengrep] GitHub Actions workflow is missing permissions declaration at the top-level or job-level.

Without explicit permissions, workflows may have excessive default permissions, violating the principle of least privilege.

According to GitHub's security best practices, you should explicitly define permissions to limit the scope of access tokens.

Valid permission scopes include: actions, attestations, checks, contents, deployments, discussions, id-token, issues, models, packages, pages, pull-requests, security-events, statuses

👍 Good examples:

Top-level: permissions: { contents: read, pull-requests: write }
Job-level: jobs: build: permissions: { contents: read }
Restrict all: permissions: {}

👎 Bad:

No permissions defined in the workflow

GitHub Security Hardening Guide


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/services/github-workflow-missing-permissions.yaml


Cc @thypon @kdenhartog

[atuchin-m]

@copilot address this issue

[github-actions]

Rust Benchmark

Details

Benchmark suite	Current: 9ba405c	Previous: c7c016b	Ratio
rule-match-browserlike/brave-list	2047306802 ns/iter (± 7739172)	2059112104 ns/iter (± 14380306)	0.99
rule-match-first-request/brave-list	1126247 ns/iter (± 5895)	1128955 ns/iter (± 15454)	1.00
blocker_new/brave-list	133011887 ns/iter (± 523060)	133117055 ns/iter (± 864705)	1.00
blocker_new/brave-list-deserialize	24861846 ns/iter (± 160023)	24527922 ns/iter (± 1344591)	1.01
memory-usage/brave-list-initial	10213344 ns/iter (± 3)	10213344 ns/iter (± 3)	1
memory-usage/brave-list-initial/max	60612235 ns/iter (± 3)	60612235 ns/iter (± 3)	1
memory-usage/brave-list-initial/alloc-count	996170 ns/iter (± 3)	996170 ns/iter (± 3)	1
memory-usage/brave-list-1000-requests	2282164 ns/iter (± 3)	2282164 ns/iter (± 3)	1
memory-usage/brave-list-1000-requests/alloc-count	69311 ns/iter (± 3)	69311 ns/iter (± 3)	1
url_cosmetic_resources/brave-list	191205 ns/iter (± 1839)	192211 ns/iter (± 1001)	0.99
cosmetic-class-id-match/brave-list	3382533 ns/iter (± 911542)	3381021 ns/iter (± 948271)	1.00

This comment was automatically generated by workflow using github-action-benchmark.

[Copilot]

@atuchin-m I've opened a new pull request, #570, to work on those changes. Once the pull request is ready, I'll request review from you.

[antonok-edm]

the author of cargo-semver-checks is also the author of cargo-semver-checks-action, does it make more sense to use that directly?

[github-actions]

_{reported by reviewdog 🐶}
[opengrep] An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA or is missing the semver reference comment

You can use pinact - https://github.com/suzuki-shunsuke/pinact - to pin them

👍

uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1

👎

uses: actions/cache@v3
uses: actions/cache@v3.3.1

GHA Policies


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml


Cc @thypon @kdenhartog

[atuchin-m]

it's pinned by fullhash. False positive?

[atuchin-m]

@kdenhartog @thypon
Could you take a look? Does using this action looks good in terms of security?

[kdenhartog]

Double checked this PR with pinact and not seeing any issues - LGTM