From 2de2f7e0410093fd6ef56d428021477e51e0c1a2 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sun, 12 Jan 2025 15:55:44 -0800 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#683) Signed-off-by: StepSecurity Bot --- .github/workflows/NewYearUpdateCopyright.yml | 2 +- .github/workflows/ci.yaml | 2 +- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/dependency-review.yml | 2 +- .github/workflows/jekyll.yml | 20 +++++++++++++++----- .github/workflows/permission_advisor.yml | 4 ++-- .github/workflows/readme-checker.yml | 4 ++-- .github/workflows/release-please.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/scorecard.yml | 6 +++--- .github/workflows/semantic-release.yml | 2 +- .github/workflows/test.yml | 4 ++-- 12 files changed, 35 insertions(+), 25 deletions(-) diff --git a/.github/workflows/NewYearUpdateCopyright.yml b/.github/workflows/NewYearUpdateCopyright.yml index ff1ad88..d652ed1 100644 --- a/.github/workflows/NewYearUpdateCopyright.yml +++ b/.github/workflows/NewYearUpdateCopyright.yml @@ -13,7 +13,7 @@ jobs: issues: write steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 71551b0..94ff3de 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,7 +20,7 @@ jobs: JEKYLL_VERSION: ${{ matrix.jekyll }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 11bfe49..4feb6e4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,7 +41,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/autobuild@v2.20.1 + uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2.20.1 + uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2.20.1 + uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bfaf254..be79b46 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml index cb5a73d..bdda57d 100644 --- a/.github/workflows/jekyll.yml +++ b/.github/workflows/jekyll.yml @@ -31,17 +31,22 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Ruby - uses: ruby/setup-ruby@v1.207.0 + uses: ruby/setup-ruby@4a9ddd6f338a97768b8006bf671dfbad383215f4 # v1.207.0 with: ruby-version: '3.3.6' # Not needed with a .ruby-version file bundler-cache: true # runs 'bundle install' and caches installed gems automatically cache-version: 1 # Increment this number if you need to re-download cached gems - name: Setup Pages id: pages - uses: actions/configure-pages@v5.0.0 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Build with Jekyll # Outputs to the './_site' directory by default run: bundle exec jekyll build --trace --incremental --baseurl "${{ steps.pages.outputs.base_path }}" @@ -51,7 +56,7 @@ jobs: LOG_LEVEL: debug - name: Upload artifact # Automatically uploads an artifact from the './_site' directory by default - uses: actions/upload-pages-artifact@v3.0.1 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 # Deployment job deploy: @@ -61,6 +66,11 @@ jobs: runs-on: ubuntu-latest needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 + with: + egress-policy: audit + - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4.0.5 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/permission_advisor.yml b/.github/workflows/permission_advisor.yml index a73e42d..3e2645e 100644 --- a/.github/workflows/permission_advisor.yml +++ b/.github/workflows/permission_advisor.yml @@ -22,11 +22,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - - uses: GitHubSecurityLab/actions-permissions/advisor@v1.0.2-beta5 + - uses: GitHubSecurityLab/actions-permissions/advisor@babd69bc8d78e6cdece903dfdcfb72d4e1a4f00d # v1.0.2-beta5 with: name: ${{ inputs.name }} count: ${{ inputs.count }} diff --git a/.github/workflows/readme-checker.yml b/.github/workflows/readme-checker.yml index 5b35329..3fc521d 100644 --- a/.github/workflows/readme-checker.yml +++ b/.github/workflows/readme-checker.yml @@ -9,14 +9,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checking markdown - uses: DavidAnson/markdownlint-cli2-action@v19.0.0 + uses: DavidAnson/markdownlint-cli2-action@a23dae216ce3fee4db69da41fed90d2a4af801cf # v19.0.0 with: globs: | *.md diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 92a0b99..8b201b1 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 687d853..d777aa5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,12 +19,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-node@v4.1.0 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: cache: npm node-version: lts/* diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 176aa59..369d457 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,7 +15,7 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit @@ -31,12 +31,12 @@ jobs: results_format: sarif publish_results: true - name: Upload artifact - uses: actions/upload-artifact@v4.6.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@v2.20.1 + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: sarif_file: results.sarif diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index 8b5932c..6c4f757 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -41,7 +41,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 435ab19..e60f5ec 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit @@ -84,7 +84,7 @@ jobs: if: ${{ !cancelled() }} steps: - name: Harden Runner - uses: step-security/harden-runner@v2.10.3 + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 with: egress-policy: audit