Harden GitHub Actions Workflow - test.yml

[stepsecurity-int]

Summary

This issue is created by StepSecurity related to security issues in test.yml . The platform has identified 1 vulnerability (0 critical, 0 high, 0 medium, 1 low).

Remediation Overview

The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-int pull-request create on this issue.

If you’d like an automated pull request with the fixed workflow file, comment:

@stepsecurity-int pull-request create

Other issues require manual investigation and changes.

Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.

Please review the individual vulnerability section below and follow the recommended resolution steps.

Security Checks Details

❌ Network and runtime security monitoring should be enabled for GitHub-hosted runners

• Severity: Low

• Description: This check passes if the step-security/harden-runner GitHub Action is used in a job that runs on a GitHub-hosted runner. Harden-Runner prevents exfiltration of code and CI/CD credentials, and detects tampering of files during build.

• Resolution: Add the step-security/harden-runner GitHub Action to the job.

• Automated Remediation Available ?: true

• References:

  • GitHub Security Guide

  • The Open Source Security Foundation (OpenSSF) Security Guide

Suggested Fix For Auto-Remediable Issues

Below is the updated workflow, which fixes the following security vulnerabilities:

• Network and runtime security monitoring should be enabled for GitHub-hosted runners

  name: Test
  on:
    pull_request:
      branches:
        - main
    push:
  permissions: read-all    
  env:
    GOPRIVATE: github.com/step-security
  jobs:
    test:
      permissions:
        contents: read
      runs-on: ubuntu-latest
      steps:
      - name: 
+ Harden the runner (Audit all outbound calls)
+       uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+       with:
+         egress-policy: audit
+     - name: 
  Checkout
        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
      - name: Set up Go 
        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
        with:
          go-version: 1.24.1
      - name: Configure .netrc
        run: |
          if [[ ! -e "~/.netrc" ]]; then
              touch ~/.netrc
          fi
          printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
      
      - name: Create go vendor dir
        run: |
          go mod vendor
      - name: Run coverage
        run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic      
      - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865

Additional Information

For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.

Automated remediation commands and options

• Create a pull request with automated security fixes

@stepsecurity-int pull-request create

• Close this issue and prevent it from being reopened

@stepsecurity-int issue close <REASON>

• Update issue description with latest security check status

@stepsecurity-int issue force-update

• View all available commands and their usage

@stepsecurity-int help

Which GitHub Actions security best practices were evaluated?

The workflow was evaluated for the following GitHub Actions security best practices:

• Network & runtime security monitoring
• Token permissions
• Third‐party GitHub Actions usage & pinning