diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 2e2ac9f..de983a1 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -12,6 +12,9 @@ defaults: run: shell: pwsh +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: update_tag: name: Update the rc tag to ${{ github.event.inputs.COMMIT_SHA }} commit diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6ea6456..c6c9640 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '17 0 * * 2' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: analyze: name: Analyze @@ -37,12 +40,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +61,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +75,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml index c268cc9..4a5e07c 100644 --- a/.github/workflows/recurring-int-tests.yml +++ b/.github/workflows/recurring-int-tests.yml @@ -12,6 +12,11 @@ jobs: name: int tests runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Canary test uses: docker://ghcr.io/step-security/integration-test/int:latest env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6d445f..08f5e2e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ defaults: run: shell: pwsh +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: update_tag: name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes @@ -28,7 +31,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@v2 + - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf - name: Update the rc tag uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d with: