Skip to content

Commit a3c2d73

Browse files
authored
Merge pull request #81 from nodenv/chore/GHA-161928-stepsecurity-remediation
[StepSecurity] Apply security best practices
2 parents 1613ac2 + fad9670 commit a3c2d73

File tree

2 files changed

+16
-7
lines changed

2 files changed

+16
-7
lines changed

.github/workflows/release.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,25 +5,31 @@ jobs:
55
github:
66
runs-on: ubuntu-latest
77
steps:
8-
- uses: actions/checkout@v2
8+
- uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
9+
with: { egress-policy: audit }
10+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
911
with: { fetch-depth: 0 }
1012
- run: npm run -s relnotes | tee relnotes.txt
11-
- uses: jasonkarns/create-release@master
13+
- uses: jasonkarns/create-release@9249b73e127bea00eb6f2caa7244657983df0557 # master
1214
with: { body_path: relnotes.txt }
1315

1416
homebrew:
1517
runs-on: ubuntu-latest
1618
steps:
17-
- uses: mislav/bump-homebrew-formula-action@v1
19+
- uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
20+
with: { egress-policy: audit }
21+
- uses: mislav/bump-homebrew-formula-action@21991dc8f899341b552c9842957677139a340980 # v1.16
1822
with: { formula-name: nodenv }
1923
env:
2024
COMMITTER_TOKEN: ${{ secrets.BOT_TOKEN }}
2125

2226
npm:
2327
runs-on: ubuntu-latest
2428
steps:
25-
- uses: actions/checkout@v2
26-
- uses: actions/setup-node@v1
29+
- uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
30+
with: { egress-policy: audit }
31+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
32+
- uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
2733
with:
2834
scope: nodenv
2935
registry-url: https://registry.npmjs.org

.github/workflows/test.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,13 @@
11
name: Test
22
on: [push, pull_request]
3+
permissions: {contents: read}
34

45
jobs:
56
test:
67
runs-on: ubuntu-latest
78

89
steps:
9-
- uses: actions/checkout@v2
10-
- run: npm cit
10+
- uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
11+
with: { egress-policy: audit }
12+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
13+
- run: npm cit

0 commit comments

Comments
 (0)