From 1463e5c2a487f0ae0e58bc6bd6d25f5fc5383a10 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 27 Dec 2024 08:17:42 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/ci.yaml | 16 +++++++++++++--- .github/workflows/publish-site.yaml | 14 +++++++++++--- .github/workflows/release.yaml | 4 ++-- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1591a565..baf7c2cd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -47,14 +47,19 @@ jobs: datastore: "elasticsearch:8.16.1" steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: ruby/setup-ruby@v1 + - uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically - - uses: KengoTODA/actions-setup-docker-compose@main + - uses: KengoTODA/actions-setup-docker-compose@a25fb82c577d314635e25bac72995718b9296dd2 # main env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -74,6 +79,11 @@ jobs: name: All CI Checks Passed needs: [ci-check] steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - run: | result="${{ needs.ci-check.result }}" if [[ $result == "success" || $result == "skipped" ]]; then diff --git a/.github/workflows/publish-site.yaml b/.github/workflows/publish-site.yaml index 36193f93..05199c83 100644 --- a/.github/workflows/publish-site.yaml +++ b/.github/workflows/publish-site.yaml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: publish-docs: runs-on: ubuntu-latest @@ -17,11 +20,16 @@ jobs: group: ${{ github.workflow }}-${{ github.ref }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout the repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@bfefad842bb982ff05b233bcbc1571d97a87e69f # v1.206.0 with: ruby-version: "3.3" bundler-cache: true # runs 'bundle install' and caches installed gems automatically @@ -31,7 +39,7 @@ jobs: - name: Deploy to GitHub Pages if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: # The GitHub Actions runner automatically creates this `GITHUB_TOKEN` secret github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2043ff0f..ec0382aa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -81,7 +81,7 @@ jobs: # Note: this must come after we release the gem because it resets git back to the same SHA we started on # (before bumping the version), but the RubyGems release depends on the version having been bumped. - name: Create pull request for the version bump - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: branch: release-v${{ inputs.version }} title: "Release v${{ inputs.version }}" @@ -91,7 +91,7 @@ jobs: - [ ] Review and edit the [GitHub Draft Release](https://github.com/${{ github.repository }}/releases) (can be done after this PR is merged) - name: Create GitHub Release - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true generateReleaseNotes: true