Skip to content

Commit 3c269f0

Browse files
feat(ci): add harden-runner to security-critical workflows (#1326)
1 parent c0ffd1c commit 3c269f0

File tree

3 files changed

+40
-0
lines changed

3 files changed

+40
-0
lines changed

.github/workflows/codeql-analysis.yml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,11 @@ jobs:
5151
# Parentheses added for explicit operator precedence (&& has higher precedence than ||)
5252
should-run-analysis: ${{ (github.event_name == 'workflow_dispatch' && 'true') || (github.event_name == 'schedule' && 'true') || steps.filter.outputs.scannable }}
5353
steps:
54+
- name: Harden Runner
55+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
56+
with:
57+
egress-policy: audit
58+
5459
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
5560

5661
- name: Check for scannable file changes
@@ -116,6 +121,11 @@ jobs:
116121
build-mode: none
117122

118123
steps:
124+
- name: Harden Runner
125+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
126+
with:
127+
egress-policy: audit
128+
119129
- name: Checkout repository
120130
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
121131

@@ -161,6 +171,11 @@ jobs:
161171
contents: read
162172
checks: write
163173
steps:
174+
- name: Harden Runner
175+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
176+
with:
177+
egress-policy: audit
178+
164179
- name: Checkout repository
165180
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
166181

@@ -204,6 +219,11 @@ jobs:
204219
contents: read
205220
security-events: read
206221
steps:
222+
- name: Harden Runner
223+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
224+
with:
225+
egress-policy: audit
226+
207227
- name: Checkout repository
208228
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
209229

.github/workflows/pr-validation.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,11 @@ jobs:
4949
timeout-minutes: 10
5050

5151
steps:
52+
- name: Harden Runner
53+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
54+
with:
55+
egress-policy: audit
56+
5257
- name: Check if validation should run
5358
id: should-run
5459
shell: pwsh

.github/workflows/pytest.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,11 @@ jobs:
7474
checks: write
7575

7676
steps:
77+
- name: Harden Runner
78+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
79+
with:
80+
egress-policy: audit
81+
7782
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
7883

7984
- name: Set up Python
@@ -112,6 +117,11 @@ jobs:
112117
contents: read
113118

114119
steps:
120+
- name: Harden Runner
121+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
122+
with:
123+
egress-policy: audit
124+
115125
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
116126

117127
- name: Set up Python
@@ -155,6 +165,11 @@ jobs:
155165
permissions:
156166
contents: read
157167
steps:
168+
- name: Harden Runner
169+
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
170+
with:
171+
egress-policy: audit
172+
158173
- name: Skip tests (no Python files changed)
159174
run: |
160175
echo "No Python files changed - skipping tests"

0 commit comments

Comments
 (0)