diff --git a/.github/workflows/ci-win.yml b/.github/workflows/ci-win.yml index 8338ddf48..389e25e7a 100644 --- a/.github/workflows/ci-win.yml +++ b/.github/workflows/ci-win.yml @@ -27,6 +27,11 @@ jobs: - windows-2022 runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2917039d2..56fc7289c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,6 +32,11 @@ jobs: compiler: gcc # GCC is an alias for clang on the MacOS image. runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml index f7214a1ca..ff9c1301f 100644 --- a/.github/workflows/coverage-linux.yml +++ b/.github/workflows/coverage-linux.yml @@ -34,6 +34,11 @@ jobs: coverage-linux: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index e60776c53..a2f8effac 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -15,6 +15,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 9eea07e3e..3307eadad 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -12,7 +12,12 @@ jobs: outputs: release_created: ${{ steps.release.outputs.release_created }} steps: - - uses: googleapis/release-please-action@v4 + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 id: release with: config-file: release-please-config.json @@ -23,8 +28,13 @@ jobs: if: ${{ needs.release-please.outputs.release_created }} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 with: node-version: lts/* registry-url: 'https://registry.npmjs.org' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e66646216..b5a17869b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -13,6 +13,11 @@ jobs: pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }}