From 2cb85a2eeb7b006e0a08c7f2cfcf0d2bcdaed760 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 22 Dec 2024 00:22:02 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/benchmarks.yml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 540c57fe..88d7fb93 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -10,10 +10,18 @@ env: CARGO_TERM_COLOR: always CARGO_PATCH_CRATES_IO_RSONPATH_LIB_GIT: https://github.com/V0ldek/rsonpath.git +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Force remove rsonpath-lib patch from Cargo.toml run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml @@ -36,7 +44,7 @@ jobs: target/ key: cargo-${{ hashFiles('**/Cargo.toml') }} - name: Build all features - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: build args: --all-features @@ -47,6 +55,11 @@ jobs: name: Clippy (stable) runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Force remove rsonpath-lib patch from Cargo.toml run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml @@ -69,14 +82,14 @@ jobs: target/ key: cargo-${{ hashFiles('**/Cargo.toml') }} - name: Build all features - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: build args: --all-features env: RUSTFLAGS: "--deny warnings" - name: Clippy all features - uses: actions-rs/clippy-check@v1 + uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # v1.0.7 with: token: ${{ secrets.GITHUB_TOKEN }} args: --all-features -- --deny warnings @@ -87,6 +100,11 @@ jobs: name: Clippy (nightly) runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Force remove rsonpath-lib patch from Cargo.toml run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml @@ -109,21 +127,21 @@ jobs: target/ key: cargo-${{ hashFiles('**/Cargo.toml') }} - name: Rustup nightly toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: toolchain: nightly components: clippy, rustfmt override: true default: true - name: Build all features - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: build args: --all-features env: RUSTFLAGS: "--deny warnings" - name: Clippy all features - uses: actions-rs/clippy-check@v1 + uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # v1.0.7 with: token: ${{ secrets.GITHUB_TOKEN }} args: --all-features -- --deny warnings