[StepSecurity] Apply security best practices (#2417) (dotnet#41814)

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: StepSecurity Bot <[email protected]>

Author: IEvangelist

.github/dependabot.yml

@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   status_checker_job:
     name: Look for build warnings
@@ -13,11 +16,16 @@ jobs:
         issues: write
         pull-requests: write
     steps:
-    - uses: actions/[email protected]
+    - name: Harden Runner
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         ref: ${{ github.event.pull_request.head.sha }}
 
-    - uses: dotnet/docs-tools/actions/status-checker@main
+    - uses: dotnet/docs-tools/actions/status-checker@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
       with:
         repo_token: ${{ secrets.GITHUB_TOKEN }}
         docs_path: "docs"

.github/workflows/check-for-build-warnings.yml

@@ -5,6 +5,9 @@ on:
     - cron: "0 1 1 * *" # Runs at 01:00, on day 1 of the month
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   clean-repo:
     runs-on: ubuntu-latest
@@ -14,12 +17,17 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # Call clean repo
       - name: Clean repo
         id: clean-repo-step
-        uses: dotnet/docs-tools/cleanrepo/CleanRepo@main
+        uses: dotnet/docs-tools/cleanrepo/CleanRepo@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         with:
           docfx_directory: '.'
           articles_directory: 'docs'

.github/workflows/clean-repo.yml

@@ -10,6 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' && github.repository_owner == 'dotnet' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34

.github/workflows/dependabot-approve-and-automerge.yml

@@ -13,6 +13,9 @@ on:
         required: true
         default: "Manual run"
 # Run on the latest version of Ubuntu
+permissions:
+  contents: read
+
 jobs:
   dependabot-bot:
     runs-on: ubuntu-latest
@@ -22,7 +25,12 @@ jobs:
 
     # Checkout the repo into the workspace within the VM
     steps:
-      - uses: actions/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       # - name: Setup .NET
       #   uses: actions/setup-dotnet@4d4a70f4a5b2a5a5329f13be4ac933f2c9206ac0
       #   with:
@@ -36,7 +44,7 @@ jobs:
       # Run the .NET dependabot-bot tool
       - name: dependabot-bot
         id: dependabot-bot
-        uses: dotnet/docs-tools/actions/dependabot-bot@main
+        uses: dotnet/docs-tools/actions/dependabot-bot@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/dependabot-bot.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4

.github/workflows/dependency-review.yml

@@ -9,6 +9,9 @@ on:
     branches: [main]
     types: [labeled, unlabeled]
 
+permissions:
+  contents: read
+
 jobs:
   labels-preventing-merge-check:
     runs-on: ubuntu-latest
@@ -18,6 +21,11 @@ jobs:
         # Labels that prevent merging
         - 'DO NOT MERGE'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: 'Check "${{ matrix.label }}" label'
         run: |
           echo "::notice::Merging permission is diabled for PRs when the '${{ matrix.label }}' label is applied."

.github/workflows/do-not-merge-label-check.yml

@@ -3,6 +3,9 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+
 jobs:
   tryfix:
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/tryfix')
@@ -13,6 +16,11 @@ jobs:
       IS_TRY_FIX: true # differentiates /tryfix from the validation-only run.
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         id: get-pr
         with:
@@ -30,14 +38,14 @@ jobs:
               core.setFailed(`Request failed with error ${err}`)
             }
       - name: Checkout the repository
-        uses: actions/[email protected]
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Checkout Pull Request
         run: |
           hub pr checkout ${{ github.event.issue.number }}
 
       - name: Tryfix
-        uses: dotnet/docs-actions/actions/docs-verifier@main
+        uses: dotnet/docs-actions/actions/docs-verifier@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
 
       - name: Push changes
         run: |

.github/workflows/docs-verifier-tryfix.yml

@@ -9,8 +9,13 @@ jobs:
     name: MSDocs build verifier
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the repository
-        uses: actions/[email protected]
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Validate
-        uses: dotnet/docs-actions/actions/docs-verifier@main
+        uses: dotnet/docs-actions/actions/docs-verifier@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main

.github/workflows/docs-verifier.yml

@@ -4,6 +4,11 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
         env:
           SHOULD_COMMENT: ${{ github.base_ref == 'refs/heads/live' && !(github.event.issue.user.login == 'cxwtool' || github.head_ref == 'refs/heads/main') }}