Add Step Security Hardening auditing for GHA runners

.github/workflows/auto-merge-dependabot-workflow.yaml

@@ -15,6 +15,14 @@ jobs:
       is_bot1: ${{ github.actor == 'dependabot[bot]' }}
       is_bot2: ${{ github.actor == 'dependabot-preview[bot]' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          disable-telemetry: false
+          allowed-endpoints: >
+            api.github.com:443
       - name: Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0

.github/workflows/benchmark.yaml

@@ -22,6 +22,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
+          disable-sudo: true
           egress-policy: audit
           disable-telemetry: false
           allowed-endpoints: >

.github/workflows/codeql.yaml

@@ -39,6 +39,16 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          disable-telemetry: false
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:44
+
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/labeler.yml

@@ -9,6 +9,13 @@ jobs:
   labeler:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          disable-telemetry: false
+
       - name: Check out the repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

.github/workflows/release.yml

@@ -10,6 +10,13 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          disable-telemetry: false
+
       - name: Check out the repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

.github/workflows/tests.yml

@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.ref_name }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.session }} ${{ matrix.python }} / ${{ matrix.os }}
@@ -37,6 +40,17 @@ jobs:
       PRE_COMMIT_COLOR: "always"
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          disable-telemetry: false
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
       - name: Check out the repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 

docs/architectural_decision_records/015-github-action-runner-hardening.md

@@ -0,0 +1,62 @@
+# 15. Use Step Security for GitHub Actions Runner Hardening
+
+## Date
+
+2024-06-21
+
+## Status
+
+Approved
+
+## Context
+
+Our CI/CD pipelines utilize GitHub Actions to automate builds, tests, and deployments. Ensuring the security of these
+pipelines is crucial to protect our codebase and sensitive data from potential security threats.
+
+## Decision
+
+Our CI/CD pipelines utilize GitHub Actions to automate builds, tests, and deployments. Ensuring the security of these
+pipelines is crucial to protect our codebase and sensitive data from potential security threats.
+
+## Options Considered
+
+1. **Do Nothing**: Continue using GitHub Actions without additional security measures.
+2. **Custom Security Implementation**: Develop our own security hardening scripts and policies.
+3. **Use Step Security**: Implement Step Security’s GitHub Action runner hardening.
+
+## Decision Drivers
+
+- **Security**: We need to enhance the security of our GitHub Actions runners to protect against unauthorized access and
+- vulnerabilities.
+- **Simplicity**: We prefer a solution that is easy to implement and maintain without extensive custom development.
+- **Compliance**: We need to meet specific security compliance requirements.
+- **Cost**: We aim for a cost-effective solution.
+
+## Decision Outcome
+
+We have chosen to use Step Security’s GitHub Action runner hardening. This decision is based on the following reasons:
+
+- **Enhanced Security**: Step Security provides a comprehensive set of security features that address our needs for
+- environment isolation, least privilege, network restrictions, and more.
+- **Ease of Use**: The solution integrates seamlessly with our existing GitHub Actions workflows with minimal
+- configuration effort.
+- **Compliance and Auditability**: Step Security provides detailed audit logs and helps ensure compliance with
+- security standards.
+- **Cost-Effective**: Using a third-party solution saves us time and resources compared to developing and maintaining
+- custom security scripts.
+
+## Consequences
+
+### Positive
+
+- Improved Security: Our CI/CD pipelines will have enhanced protection against security threats.
+- Simplified Compliance: Easier to meet security compliance requirements.
+- Reduced Development Effort: Leveraging a third-party solution saves time and resources.
+
+### Negative
+
+- Dependency on Third-Party: We will rely on Step Security for updates and maintenance of the security features.
+
+## Review
+
+This decision will be reviewed periodically to ensure it continues to meet our security and operational needs.