chore(deps): bump aws-actions/configure-aws-credentials from aa1f74b81b53cb3adb28afcdb21d7b9f3fceea98 to 209f2a4450bb4b277e1dedaff40ad2fd8d4d0a4c #3147
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lockdown untrusted workflows | |
| # PROCESS | |
| # | |
| # 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3) | |
| # 2. Scans for insecure practices for inline bash scripts (shellcheck) | |
| # 3. Fail CI and prevent PRs to be merged if any malpractice is found | |
| # USAGE | |
| # | |
| # Always triggered on new PR, PR changes and PR merge. | |
| on: | |
| push: | |
| paths: | |
| - ".github/workflows/**" | |
| pull_request: | |
| paths: | |
| - ".github/workflows/**" | |
| permissions: | |
| contents: read | |
| jobs: | |
| enforce_pinned_workflows: | |
| name: Harden Security | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # checkout code and subsequently GitHub action workflows | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Ensure 3rd party workflows have SHA pinned | |
| uses: zgosalvez/github-actions-ensure-sha-pinned-actions@fc87bb5b5a97953d987372e74478de634726b3e5 # v3.0.25 | |
| with: | |
| allowlist: | | |
| slsa-framework/slsa-github-generator | |
| aws-powertools/actions |