From ff1fe1a4cfcbefa45e19ec41cbeb67c1109361a5 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 7 Nov 2025 02:16:20 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/build.yml | 13 +++++++++---- .github/workflows/check_pr_title.yml | 6 +++--- .github/workflows/draft_new_release.yml | 11 ++++++++--- ...anage-github-issue-for-outdated-dependencies.yml | 4 ++-- .github/workflows/notion_pr_sync.yml | 2 +- .github/workflows/publish-new-github-release.yml | 8 ++++---- .github/workflows/release.yml | 9 ++++++--- .github/workflows/slack-notify.yml | 7 +++++-- .github/workflows/snapshot_release.yml | 11 +++++++---- 9 files changed, 45 insertions(+), 26 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc2d52a..6557a49 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,13 +8,18 @@ on: types: [ 'opened', 'reopened', 'edited', 'synchronize' ] workflow_dispatch: +permissions: + contents: read + jobs: cancel_previous: + permissions: + actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit @@ -28,18 +33,18 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout source branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Grant execute permission for gradlew run: chmod +x gradlew - name: cache gradle dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.gradle/caches diff --git a/.github/workflows/check_pr_title.yml b/.github/workflows/check_pr_title.yml index fba734a..87889be 100644 --- a/.github/workflows/check_pr_title.yml +++ b/.github/workflows/check_pr_title.yml @@ -10,12 +10,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout source branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Check PR title - uses: rudderlabs/github-action-check-pr-title@v1.0.11 + uses: rudderlabs/github-action-check-pr-title@0a83071336f7d6417249629f67a64530fcecda2e # v1.0.11 diff --git a/.github/workflows/draft_new_release.yml b/.github/workflows/draft_new_release.yml index 47baa46..8e52bb8 100644 --- a/.github/workflows/draft_new_release.yml +++ b/.github/workflows/draft_new_release.yml @@ -3,24 +3,29 @@ name: Draft new release on: workflow_dispatch +permissions: + contents: read + jobs: draft-new-release: + permissions: + contents: write # for Git to git push name: Draft a new release runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/heads/feat/') || startsWith(github.ref, 'refs/heads/fix/') steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout source branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 - name: Set Node 16 - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 diff --git a/.github/workflows/manage-github-issue-for-outdated-dependencies.yml b/.github/workflows/manage-github-issue-for-outdated-dependencies.yml index aa72376..06f6810 100644 --- a/.github/workflows/manage-github-issue-for-outdated-dependencies.yml +++ b/.github/workflows/manage-github-issue-for-outdated-dependencies.yml @@ -11,11 +11,11 @@ jobs: name: Check outdated dependencies and create issue if it doesn't exist steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Check outdated dependencies and create issue id: check-outdated-dependencies-and-create-issue diff --git a/.github/workflows/notion_pr_sync.yml b/.github/workflows/notion_pr_sync.yml index cf9734e..a08b304 100644 --- a/.github/workflows/notion_pr_sync.yml +++ b/.github/workflows/notion_pr_sync.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit diff --git a/.github/workflows/publish-new-github-release.yml b/.github/workflows/publish-new-github-release.yml index 47043c4..ff3edcc 100644 --- a/.github/workflows/publish-new-github-release.yml +++ b/.github/workflows/publish-new-github-release.yml @@ -14,7 +14,7 @@ jobs: if: startsWith(github.event.pull_request.head.ref, 'release/') && github.event.pull_request.merged == true # only merged pull requests must trigger this job steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit @@ -27,12 +27,12 @@ jobs: echo "release_version=$VERSION" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 # In order to make a commit, we need to initialize a user. @@ -53,7 +53,7 @@ jobs: DEBUG=conventional-github-releaser npx conventional-github-releaser -p angular - name: Delete release branch - uses: koj-co/delete-merged-action@master + uses: koj-co/delete-merged-action@63a03c35810a8a7d4840d18793c0f68ff8b59450 # master if: startsWith(github.event.pull_request.head.ref, 'release/') with: branches: 'release/*' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23908d1..15aaf67 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,24 +4,27 @@ on: workflow_dispatch: release: types: [ created ] +permissions: + contents: read + jobs: release: runs-on: ubuntu-latest environment: deployment steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout source branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Grant execute permission for gradlew run: chmod +x gradlew - name: cache gradle dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.gradle/caches diff --git a/.github/workflows/slack-notify.yml b/.github/workflows/slack-notify.yml index 5fc96c1..2e1fbae 100644 --- a/.github/workflows/slack-notify.yml +++ b/.github/workflows/slack-notify.yml @@ -4,19 +4,22 @@ on: release: types: [ created ] +permissions: + contents: read + jobs: deploy-tag: name: Notify Slack runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Send message to Slack channel id: slack - uses: slackapi/slack-github-action@v1.23.0 + uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} PROJECT_NAME: rudder-integration-braze-android diff --git a/.github/workflows/snapshot_release.yml b/.github/workflows/snapshot_release.yml index 2062083..c0cb7ec 100644 --- a/.github/workflows/snapshot_release.yml +++ b/.github/workflows/snapshot_release.yml @@ -5,20 +5,23 @@ on: branches: [ 'master' ] types: [ 'opened', 'reopened', 'edited', 'synchronize' ] +permissions: + contents: read + jobs: snapshot: runs-on: ubuntu-latest environment: deployment steps: - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: audit - name: Checkout source branch - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - - uses: actions/setup-java@v4 + - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 with: distribution: 'temurin' java-version: '17' @@ -27,7 +30,7 @@ jobs: run: chmod +x gradlew - name: cache gradle dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.gradle/caches