From c3ced5bc9adcae16fda937e8a4eacea59865b5ea Mon Sep 17 00:00:00 2001 From: "stepsecurity-int[bot]" <185740846+stepsecurity-int[bot]@users.noreply.github.com> Date: Sun, 10 Aug 2025 18:46:29 +0000 Subject: [PATCH] Apply security best practicesSigned-off-by: StepSecurity Bot --- .github/workflows/canary.yml | 4 ++-- .github/workflows/code-review.yml | 2 +- .github/workflows/recurring-int-tests.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/runs-on.yml | 8 ++++---- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 1307ee8..fa1b753 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -37,13 +37,13 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0 env: PAT: ${{ secrets.PAT }} canary: true - name: Canary TLS test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0 env: PAT: ${{ secrets.PAT }} canary-tls: true diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 0518582..fb0f5b2 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -20,4 +20,4 @@ jobs: int.api.stepsecurity.io:443 - name: Code Review - uses: step-security/ai-codewise@int + uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml index 20fc63a..540f2cb 100644 --- a/.github/workflows/recurring-int-tests.yml +++ b/.github/workflows/recurring-int-tests.yml @@ -18,7 +18,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0 env: PAT: ${{ secrets.PAT }} canary: true @@ -33,7 +33,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0 env: PAT: ${{ secrets.PAT }} canary-tls: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e27ded9..8f4d891 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:75bdc1c208f62a44394a2d7c2bf0104f97095e2aecb92af0ded573f4d40113c0 env: PAT: ${{ secrets.PAT }} canary: true diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml index a233b74..d284d0c 100644 --- a/.github/workflows/runs-on.yml +++ b/.github/workflows/runs-on.yml @@ -14,7 +14,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc with: egress-policy: audit allowed-endpoints: > @@ -43,7 +43,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc with: egress-policy: block allowed-endpoints: > @@ -89,7 +89,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc with: egress-policy: audit allowed-endpoints: > @@ -137,7 +137,7 @@ jobs: - image=ubuntu24-stepsecurity-x64 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@97bbed2426f3310cf21ffa4c69621c6307aa8a4e # rc with: egress-policy: block allowed-endpoints: >