From 5287429c7db86f1783c5fe2a30ea62587701dfc4 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 24 Jan 2025 20:51:05 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/_build-pkg.yml | 8 ++++++++ .github/workflows/ci.yml | 15 +++++++++++++++ .github/workflows/lint.yml | 15 +++++++++++++++ .github/workflows/pypi-release.yml | 5 +++++ 4 files changed, 43 insertions(+) diff --git a/.github/workflows/_build-pkg.yml b/.github/workflows/_build-pkg.yml index f14145c7e0..ad53be90b3 100644 --- a/.github/workflows/_build-pkg.yml +++ b/.github/workflows/_build-pkg.yml @@ -9,10 +9,18 @@ on: required: false default: "package" +permissions: + contents: read + jobs: build-pkg: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v4 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f0d9fe8b31..a2c1b849d7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,6 +28,11 @@ jobs: - {python-version: "3.8", os: "windows-latest", os-label: "Windows"} - {python-version: "3.8", os: "macos-latest", os-label: "macOS"} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v4 @@ -49,6 +54,11 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: "Noop" run: true shell: bash @@ -58,6 +68,11 @@ jobs: needs: test_success if: github.ref == 'refs/heads/main' steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: release-drafter/release-drafter@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ddad6322dd..ea43e3959c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -11,6 +11,11 @@ jobs: mypy: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v4 @@ -29,6 +34,11 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: @@ -38,6 +48,11 @@ jobs: docs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml index 50dd4a62d6..458a0813f9 100644 --- a/.github/workflows/pypi-release.yml +++ b/.github/workflows/pypi-release.yml @@ -14,6 +14,11 @@ jobs: needs: [build] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/download-artifact@v3 with: name: package