[StepSecurity] Apply security best practices (#41)

stepsecurity-app[bot] · cpanato · web-flow · commit 0ef37029c052 · 2025-05-16T14:36:44.000+01:00
* [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;

* updates

---------

Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
Co-authored-by: Carlos Panato &lt;ctadeu@gmail.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -7,12 +7,16 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
-jobs:
+permissions: {}
 
+jobs:
   action-lint:
     name: Action lint
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read # To read the repo contents
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -21,6 +25,8 @@ jobs:
 
       - name: Check out code
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
 
       - name: Find yamls
         id: get_yamls
diff --git a/.github/workflows/ghaudit.yaml b/.github/workflows/ghaudit.yaml
@@ -6,38 +6,46 @@ on:
 
 name: GitHub Audit
 
+permissions: {}
+
 jobs:
   ghaudit:
     runs-on: ubuntu-latest
 
     permissions:
+      contents: read # To read the repo contents
       id-token: write # To federate with Octo STS
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+      with:
+        egress-policy: audit
+
     - uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
       id: octo-sts
       with:
         scope: ${{ github.repository_owner }}
         identity: ghaudit
 
     - name: Deploy Keys
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} deploy-keys
 
     - name: Branch Protections
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
         packages: ghaudit
         command: ghaudit org -o ${{ github.repository_owner }} branch-protections
 
     - name: Default Permissions
-      uses: wolfi-dev/wolfi-act@main
+      uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # v0.0.1
       env:
         GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
       with:
