[StepSecurity] Apply security best practices

.github/workflows/actionlint.yaml

@@ -5,7 +5,8 @@ name: Action Lint
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
 
 permissions: {}
 
@@ -14,10 +15,16 @@ jobs:
   action-lint:
     name: Action lint
     runs-on: ubuntu-latest
+
     permissions:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 

.github/workflows/boilerplate.yaml

@@ -5,7 +5,8 @@ name: Boilerplate
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
 
 permissions: {}
 
@@ -14,8 +15,10 @@ jobs:
   check:
     name: Boilerplate Check
     runs-on: ubuntu-latest
+
     permissions:
       contents: read
+
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:
@@ -34,10 +37,15 @@ jobs:
           language: YAML
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: chainguard-dev/actions/boilerplate@main
+      - uses: chainguard-dev/actions/boilerplate@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2
         with:
           extension: ${{ matrix.extension }}
           language: ${{ matrix.language }}

.github/workflows/donotsubmit.yaml

@@ -5,7 +5,8 @@ name: Do Not Submit
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
 
 permissions: {}
 
@@ -14,12 +15,18 @@ jobs:
   donotsubmit:
     name: Do Not Submit
     runs-on: ubuntu-latest
+
     permissions:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Do Not Submit
-        uses: chainguard-dev/actions/donotsubmit@main
+        uses: chainguard-dev/actions/donotsubmit@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # v1.1.2

.github/workflows/go-test.yaml

@@ -5,9 +5,11 @@ name: Test
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
   push:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
 
 permissions: {}
 
@@ -18,6 +20,11 @@ jobs:
     permissions:
       contents: read
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
     - name: Check out code onto GOPATH
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -41,4 +48,4 @@ jobs:
         check-latest: true
 
     - run: |
-        go test -race ./...
+        go test -v -race ./...

.github/workflows/style.yaml

@@ -23,6 +23,11 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -44,6 +49,11 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -64,6 +74,11 @@ jobs:
       pull-requests: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set up Go
@@ -87,6 +102,11 @@ jobs:
       contents: read
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 

.github/workflows/verify.yaml

@@ -5,9 +5,11 @@ name: Verify
 
 on:
   pull_request:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
   push:
-    branches: [ 'main', 'release-*' ]
+    branches:
+      - 'main'
 
 permissions: {}
 
@@ -16,13 +18,19 @@ jobs:
   verify:
     name: Verify Codegen
     runs-on: ubuntu-latest
+
     permissions:
       contents: read
 
     env:
       GOPATH: ${{ github.workspace }}
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
     - name: Check out code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
@@ -55,7 +63,7 @@ jobs:
         ./hack/update-codegen.sh
 
     - name: Verify
-      uses: chainguard-dev/actions/nodiff@main
+      uses: chainguard-dev/actions/nodiff@5363dd9eb48083bbf7674a4bbe62d71c3b230edd # main
       with:
         path: ./src/github.com/${{ github.repository }}
         fixup-command: "./hack/update-codegen.sh"