chore: [StepSecurity] Harden GitHub Actions (#150)

step-security-bot · web-flow · commit 02dfeb485f48 · 2023-02-23T08:58:16.000-08:00
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -14,33 +14,38 @@ jobs:
       matrix:
         ruby-version: ["2.6", "2.7", "3.0", "3.1", "3.2"]
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
       with:
         go-version: '1.17'
         check-latest: true
     - name: Setup Ruby
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4d060a10e6d98429c69057f0aafbc65fb982bae8 # v1.137.0
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true
     - name: Run HTTP conformance tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         functionType: 'http'
         useBuildpacks: false
         cmd: "'bundle exec functions-framework-ruby --source test/conformance/app.rb --target http_func --signature-type http'"
     - name: Run CloudEvent conformance tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         functionType: 'cloudevent'
         useBuildpacks: false
         validateMapping: true
         cmd: "'bundle exec functions-framework-ruby --source test/conformance/app.rb --target cloudevent_func --signature-type cloudevent'"
     - name: Run HTTP concurrency tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         functionType: 'http'
         useBuildpacks: false
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,15 +7,23 @@ on:
     branches:
       - main
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   lint:
     if: ${{ github.repository == 'GoogleCloudPlatform/functions-framework-ruby' }}
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Install Ruby 3.0
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4d060a10e6d98429c69057f0aafbc65fb982bae8 # v1.137.0
       with:
         ruby-version: "3.0"
         bundler-cache: true
diff --git a/.github/workflows/push-gh-pages.yml b/.github/workflows/push-gh-pages.yml
@@ -10,10 +10,15 @@ jobs:
       ruby_version: "3.0"
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Install Ruby ${{ env.ruby_version }}
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4d060a10e6d98429c69057f0aafbc65fb982bae8 # v1.137.0
         with:
           ruby-version: ${{ env.ruby_version }}
           bundler-cache: true
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -24,6 +24,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   unit-test:
     if: ${{ github.repository == 'GoogleCloudPlatform/functions-framework-ruby' }}
@@ -46,10 +49,15 @@ jobs:
       fail-fast: false
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Install Ruby ${{ matrix.ruby }}
-      uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@4d060a10e6d98429c69057f0aafbc65fb982bae8 # v1.137.0
       with:
         ruby-version: "${{ matrix.ruby }}"
         bundler-cache: true
