Merge pull request #68 from step-security-bot/stepsecurity_remediatio…

…n_1735287460

[StepSecurity] ci: Harden GitHub Actions

.github/workflows/ci.yaml

@@ -47,14 +47,19 @@ jobs:
             datastore: "elasticsearch:8.16.1"
 
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0
         with:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
 
-      - uses: KengoTODA/actions-setup-docker-compose@main
+      - uses: KengoTODA/actions-setup-docker-compose@a25fb82c577d314635e25bac72995718b9296dd2 # main
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -74,6 +79,11 @@ jobs:
     name: All CI Checks Passed
     needs: [ci-check]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
       - run: |
           result="${{ needs.ci-check.result }}"
           if [[ $result == "success" || $result == "skipped" ]]; then

.github/workflows/publish-site.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   publish-docs:
     runs-on: ubuntu-latest
@@ -17,11 +20,16 @@ jobs:
       group: ${{ github.workflow }}-${{ github.ref }}
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
     - name: Checkout the repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0
       with:
         ruby-version: "3.3"
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
@@ -31,7 +39,7 @@ jobs:
 
     - name: Deploy to GitHub Pages
       if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
       with:
         # The GitHub Actions runner automatically creates this `GITHUB_TOKEN` secret
         github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -81,7 +81,7 @@ jobs:
       # Note: this must come after we release the gem because it resets git back to the same SHA we started on
       # (before bumping the version), but the RubyGems release depends on the version having been bumped.
       - name: Create pull request for the version bump
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           branch: release-v${{ inputs.version }}
           title: "Release v${{ inputs.version }}"
@@ -91,7 +91,7 @@ jobs:
             - [ ] Review and edit the [GitHub Draft Release](https://github.com/${{ github.repository }}/releases) (can be done after this PR is merged)
 
       - name: Create GitHub Release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
         with:
           draft: true
           generateReleaseNotes: true