From a97fb4e3b79ec4a7f21093705ba0fd35e298ab37 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 23 Nov 2023 05:12:17 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/code-review.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/int.yml | 4 ++-- .github/workflows/scorecard-analysis.yml | 5 +++++ .github/workflows/test.yml | 5 +++++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index d1c318c..d1d6642 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -20,5 +20,5 @@ jobs: int.api.stepsecurity.io:443 - name: Code Review - uses: step-security/ai-codewise@int + uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8220858..e6a5c5f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - uses: step-security/harden-runner@v1 + - uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 with: egress-policy: audit - name: Checkout repository diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index cbcf9cb..4e0fd10 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -14,7 +14,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - name: Checkout @@ -33,6 +33,6 @@ jobs: aws-region: us-west-2 - run: aws s3 cp ./agent s3://step-security-agent/refs/heads/int/agent --acl public-read - name: Integration test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:947868b3c9f456695d89a06ef9c1a9194a579f0b2bd5a724a4b864b9a0d6787d env: PAT: ${{ secrets.PAT }} diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 4bcb2ce..0cd3a18 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -24,6 +24,11 @@ jobs: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e19566c..23d0828 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,6 +13,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 - name: Set up Go