From 67bb85c6da78a41a2b58e00642fe290600b9545b Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 27 Oct 2023 13:04:40 -0700 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#54) Signed-off-by: StepSecurity Bot Signed-off-by: Ryan Parman Co-authored-by: Ryan Parman --- .github/workflows/go-dep-submission.yml | 7 ++++++- .github/workflows/pr-dep-review.yml | 9 +++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go-dep-submission.yml b/.github/workflows/go-dep-submission.yml index fc72ff0d..23d2acb4 100644 --- a/.github/workflows/go-dep-submission.yml +++ b/.github/workflows/go-dep-submission.yml @@ -13,6 +13,11 @@ jobs: go-action-detection: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout Source uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -25,7 +30,7 @@ jobs: cache: true - name: Run snapshot action - uses: actions/go-dependency-submission@v1 + uses: actions/go-dependency-submission@1694cb96294964b25b39ef4e8fa7430558d9bed9 # v1.0.3 with: # Required: Define the repo path to the go.mod file used by the # build target diff --git a/.github/workflows/pr-dep-review.yml b/.github/workflows/pr-dep-review.yml index b00a9f79..95a27730 100644 --- a/.github/workflows/pr-dep-review.yml +++ b/.github/workflows/pr-dep-review.yml @@ -12,10 +12,15 @@ jobs: permissions: pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Dependency Review - uses: actions/dependency-review-action@v3 + uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 with: config-file: ./.github/dependency-review-config.yml