diff --git a/.github/workflows/commisery.yml b/.github/workflows/commisery.yml index 4f83fb1..cea9cfc 100644 --- a/.github/workflows/commisery.yml +++ b/.github/workflows/commisery.yml @@ -21,8 +21,13 @@ jobs: commit-message: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Run Commisery - uses: tomtom-international/commisery-action@v2 + uses: tomtom-international/commisery-action@33eb2d6e7dfc53e6d3d09ea20c639b8858f75021 # v2.19.3 with: token: ${{ secrets.GITHUB_TOKEN }} validate-pull-request: false diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml index 9033ada..e4838f7 100644 --- a/.github/workflows/dco.yml +++ b/.github/workflows/dco.yml @@ -4,4 +4,9 @@ jobs: dco: runs-on: ubuntu-latest steps: - - uses: tisonkun/actions-dco@v1.1 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 031f510..693e5df 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -5,16 +5,21 @@ jobs: name: Cargo clippy & fmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Rust toolchain run: rustup show && rustup update - name: cargo fmt - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: fmt args: -- --check - name: cargo clippy - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: clippy args: --all-features --tests -- -D warnings @@ -23,14 +28,19 @@ jobs: name: Unused dependencies runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install nightly toolchain - uses: dtolnay/rust-toolchain@nightly + uses: dtolnay/rust-toolchain@53c04d3685fcc3ca67ce478eb9c2ea5c051a4a63 # nightly - name: Run cargo-udeps - uses: aig787/cargo-udeps-action@v1 + uses: aig787/cargo-udeps-action@1cd634a329e14ccfbccfe7c96497d14dac24a743 # v1 with: version: 'latest' args: '--all-targets' @@ -39,8 +49,13 @@ jobs: name: Cargo Audit runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install Cargo Audit run: cargo install cargo-audit diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7544d16..f0de988 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,12 +1,20 @@ name: Test on: [ push, pull_request ] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: cargo test - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: test args: --all-features