Skip to content

Commit 72fc1b6

Browse files
step-security-botutpilla
step-security-bot
and
utpilla
authored
ci: [StepSecurity] Harden GitHub Actions (#2910)
Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: Utkarsh Umesan Pillai <[email protected]>
1 parent f99f20a commit 72fc1b6

File tree

8 files changed

+75
-0
lines changed

8 files changed

+75
-0
lines changed

.github/workflows/benchmark.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,11 @@ jobs:
3434
# For pushes to main, compare against the previous commit
3535
BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.base_ref || github.event.before }}
3636
steps:
37+
- name: Harden the runner (Audit all outbound calls)
38+
uses: step-security/harden-runner@v2
39+
with:
40+
egress-policy: audit
41+
3742
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3843
with:
3944
fetch-depth: 10 # Fetch current commit and its parent

.github/workflows/ci.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,11 @@ jobs:
3030
runs-on: ${{ matrix.os }}
3131
continue-on-error: ${{ matrix.rust == 'beta' }}
3232
steps:
33+
- name: Harden the runner (Audit all outbound calls)
34+
uses: step-security/harden-runner@v2
35+
with:
36+
egress-policy: audit
37+
3338
- name: Free disk space
3439
if: ${{ matrix.os == 'ubuntu-latest'}}
3540
run: |
@@ -54,6 +59,11 @@ jobs:
5459
lint:
5560
runs-on: ubuntu-latest
5661
steps:
62+
- name: Harden the runner (Audit all outbound calls)
63+
uses: step-security/harden-runner@v2
64+
with:
65+
egress-policy: audit
66+
5767
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5868
with:
5969
submodules: true
@@ -77,6 +87,11 @@ jobs:
7787
example: [opentelemetry, opentelemetry-sdk, opentelemetry-otlp, opentelemetry-zipkin]
7888
runs-on: ubuntu-latest # TODO: Check if this could be covered for Windows. The step used currently fails on Windows.
7989
steps:
90+
- name: Harden the runner (Audit all outbound calls)
91+
uses: step-security/harden-runner@v2
92+
with:
93+
egress-policy: audit
94+
8095
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
8196
- uses: dtolnay/rust-toolchain@a02741459ec5e501b9843ed30b535ca0a0376ae4
8297
with:
@@ -95,6 +110,11 @@ jobs:
95110
runs-on: ${{ matrix.os }}
96111
continue-on-error: true
97112
steps:
113+
- name: Harden the runner (Audit all outbound calls)
114+
uses: step-security/harden-runner@v2
115+
with:
116+
egress-policy: audit
117+
98118
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
99119
with:
100120
submodules: true
@@ -110,6 +130,11 @@ jobs:
110130
runs-on: ubuntu-latest # This uses the step `EmbarkStudios/cargo-deny-action@v1` which is only supported on Linux
111131
continue-on-error: true # Prevent sudden announcement of a new advisory from failing ci
112132
steps:
133+
- name: Harden the runner (Audit all outbound calls)
134+
uses: step-security/harden-runner@v2
135+
with:
136+
egress-policy: audit
137+
113138
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
114139
- uses: EmbarkStudios/cargo-deny-action@34899fc7ba81ca6268d5947a7a16b4649013fea1 # v2.0.11
115140
with:
@@ -118,6 +143,11 @@ jobs:
118143
continue-on-error: true
119144
runs-on: ubuntu-latest
120145
steps:
146+
- name: Harden the runner (Audit all outbound calls)
147+
uses: step-security/harden-runner@v2
148+
with:
149+
egress-policy: audit
150+
121151
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
122152
- uses: dtolnay/rust-toolchain@fcf085fcb4b4b8f63f96906cd713eb52181b5ea4
123153
with:
@@ -136,6 +166,11 @@ jobs:
136166
runs-on: ubuntu-latest
137167
if: ${{ ! contains(github.event.pull_request.labels.*.name, 'dependencies') }}
138168
steps:
169+
- name: Harden the runner (Audit all outbound calls)
170+
uses: step-security/harden-runner@v2
171+
with:
172+
egress-policy: audit
173+
139174
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
140175
with:
141176
submodules: true
@@ -163,6 +198,11 @@ jobs:
163198
continue-on-error: true
164199
runs-on: ubuntu-latest
165200
steps:
201+
- name: Harden the runner (Audit all outbound calls)
202+
uses: step-security/harden-runner@v2
203+
with:
204+
egress-policy: audit
205+
166206
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
167207
with:
168208
submodules: true

.github/workflows/fossa.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,11 @@ jobs:
1111
fossa:
1212
runs-on: ubuntu-latest
1313
steps:
14+
- name: Harden the runner (Audit all outbound calls)
15+
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
16+
with:
17+
egress-policy: audit
18+
1419
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1520

1621
- uses: fossas/fossa-action@c0a7d013f84c8ee5e910593186598625513cc1e4 # v1.6.0

.github/workflows/integration_tests.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,11 @@ jobs:
1212
runs-on: ubuntu-latest
1313
timeout-minutes: 10
1414
steps:
15+
- name: Harden the runner (Audit all outbound calls)
16+
uses: step-security/harden-runner@v2
17+
with:
18+
egress-policy: audit
19+
1520
- name: Free disk space
1621
run: |
1722
df -h

.github/workflows/markdown-link-check.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ jobs:
1414
markdown-link-check:
1515
runs-on: ubuntu-latest
1616
steps:
17+
- name: Harden the runner (Audit all outbound calls)
18+
uses: step-security/harden-runner@v2
19+
with:
20+
egress-policy: audit
21+
1722
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1823

1924
- name: Install markdown-link-check

.github/workflows/ossf-scorecard.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,11 @@ jobs:
1919
# Needed for GitHub OIDC token if publish_results is true
2020
id-token: write
2121
steps:
22+
- name: Harden the runner (Audit all outbound calls)
23+
uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
24+
with:
25+
egress-policy: audit
26+
2227
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2328
with:
2429
persist-credentials: false

.github/workflows/pr_naming.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,11 @@ jobs:
1010
validate-pr-title:
1111
runs-on: ubuntu-latest
1212
steps:
13+
- name: Harden the runner (Audit all outbound calls)
14+
uses: step-security/harden-runner@v2
15+
with:
16+
egress-policy: audit
17+
1318
- name: PR Conventional Commit Validation
1419
uses: ytanikin/pr-conventional-commits@8267db1bacc237419f9ed0228bb9d94e94271a1d # 1.4.1
1520
with:

.github/workflows/semver.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,11 @@ jobs:
1111
timeout-minutes: 10
1212
if: ${{ github.event.label.name == 'semver-check' || contains(github.event.pull_request.labels.*.name, 'semver-check') }}
1313
steps:
14+
- name: Harden the runner (Audit all outbound calls)
15+
uses: step-security/harden-runner@v2
16+
with:
17+
egress-policy: audit
18+
1419
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1520
with:
1621
submodules: true

0 commit comments

Comments
 (0)