From d21e69094db09d21997d26bbee9f88ccf1b3c4ee Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 04:04:45 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/AddLabel.yaml | 5 ++ .github/workflows/IssueComment.yml | 5 ++ .github/workflows/ScanSecrets.yaml | 9 +++- .github/workflows/addComment.yaml | 5 ++ .github/workflows/addCommentOnPackagedPR.yaml | 5 ++ ...CommentToRemindUpdatingTemplateVersion.yml | 7 ++- .github/workflows/addLabelOnPr.yaml | 5 ++ .github/workflows/allowedWorkflowRun.yaml | 5 ++ .github/workflows/arm-ttk-validations.yaml | 7 ++- .github/workflows/aws-s3-bundle-update.yaml | 9 +++- .github/workflows/checkAutomatedPR.yaml | 5 ++ .github/workflows/checkPRContentChange.yaml | 5 ++ .github/workflows/checkSkipPackagingInfo.yaml | 5 ++ .github/workflows/codeql-analysis.yml | 15 ++++-- .github/workflows/content-validations.yaml | 7 ++- .../convertKqlFunctionYamlToArmTemplate.yaml | 13 +++-- .../workflows/data-connector-validations.yaml | 7 ++- ...detection-template-schema-validations.yaml | 9 +++- .github/workflows/detection-validations.yaml | 7 ++- .../workflows/documents-link-validation.yaml | 7 ++- .github/workflows/getSolutionName.yaml | 5 ++ .github/workflows/hyperlinkValidator.yaml | 5 ++ .github/workflows/json-syntax-validation.yaml | 7 ++- .github/workflows/kql-validations.yaml | 9 +++- .github/workflows/logo-validation.yaml | 7 ++- .github/workflows/neworexistingsolution.yaml | 5 ++ .github/workflows/non-ascii-validations.yaml | 9 +++- .github/workflows/package-command.yaml | 5 ++ .github/workflows/playbook-validations.yaml | 7 ++- .github/workflows/pullRequestStatus.yaml | 5 ++ .../runAsimSchemaAndDataTesters.yaml | 47 ++++++++++++++----- .github/workflows/sample-data-validation.yaml | 9 +++- .github/workflows/slash-command-armttk.yaml | 9 +++- .github/workflows/slash-command-dispatch.yaml | 5 ++ .github/workflows/solution-validations.yaml | 7 ++- .github/workflows/solutionIntegration.yaml | 9 +++- .../workflows/validateClassicAppInsights.yaml | 5 ++ .github/workflows/validateFieldTypes.yaml | 5 ++ .../validateVersionChangedInDetections.yml | 7 ++- .../workbook-metadata-validations.yaml | 7 ++- .../workbook-template-validations.yaml | 7 ++- .github/workflows/yaml-syntax-validation.yaml | 7 ++- 42 files changed, 280 insertions(+), 50 deletions(-) diff --git a/.github/workflows/AddLabel.yaml b/.github/workflows/AddLabel.yaml index 0d1808950c1..84370b28024 100644 --- a/.github/workflows/AddLabel.yaml +++ b/.github/workflows/AddLabel.yaml @@ -31,6 +31,11 @@ jobs: needs: solutionPublisherDetail if: ${{ github.actor != 'dependabot[bot]' && needs.solutionPublisherDetail.outputs.solutionPublisherId != '' && !contains(fromJson(vars.INTERNAL_PUBLISHERS),needs.solutionPublisherDetail.outputs.solutionPublisherId) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/IssueComment.yml b/.github/workflows/IssueComment.yml index 2ca3a61de60..21555e7e246 100644 --- a/.github/workflows/IssueComment.yml +++ b/.github/workflows/IssueComment.yml @@ -14,6 +14,11 @@ jobs: permissions: issues: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/ScanSecrets.yaml b/.github/workflows/ScanSecrets.yaml index 9be18941871..ff9adadd20c 100644 --- a/.github/workflows/ScanSecrets.yaml +++ b/.github/workflows/ScanSecrets.yaml @@ -7,11 +7,16 @@ jobs: Scan_Secrets_in_commit: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 10 - name: Secret Scanning - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@6171fa9f6676edf21e15bba41f049b18399d7372 # main with: extra_args: --exclude-paths=.script/SecretScanning/Excludepathlist --only-verified diff --git a/.github/workflows/addComment.yaml b/.github/workflows/addComment.yaml index d0cbcd76288..5658cdbc944 100644 --- a/.github/workflows/addComment.yaml +++ b/.github/workflows/addComment.yaml @@ -18,6 +18,11 @@ jobs: comment: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/addCommentOnPackagedPR.yaml b/.github/workflows/addCommentOnPackagedPR.yaml index 7545e29d3d7..3a94539acea 100644 --- a/.github/workflows/addCommentOnPackagedPR.yaml +++ b/.github/workflows/addCommentOnPackagedPR.yaml @@ -16,6 +16,11 @@ jobs: pull-requests: write contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/github-script@29423367f079522048aa7c63f671593b0556ffd5 id: addComment with: diff --git a/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml b/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml index 9e77e0b9a52..c55c111c3fe 100644 --- a/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml +++ b/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml @@ -13,8 +13,13 @@ jobs: outputs: hasAutoDetectionComment: ${{ steps.job1.outputs.hasAutoDetectionComment }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Find Comment - uses: peter-evans/find-comment@v3 + uses: step-security/find-comment@1d7bf2a0c1b6802305aa3cf2e7c0e47568915caf # v4.0.0 id: fc with: issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/addLabelOnPr.yaml b/.github/workflows/addLabelOnPr.yaml index f6edd510a5f..59f7136e259 100644 --- a/.github/workflows/addLabelOnPr.yaml +++ b/.github/workflows/addLabelOnPr.yaml @@ -16,6 +16,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/allowedWorkflowRun.yaml b/.github/workflows/allowedWorkflowRun.yaml index 1269f96dd68..a69b718cf6a 100644 --- a/.github/workflows/allowedWorkflowRun.yaml +++ b/.github/workflows/allowedWorkflowRun.yaml @@ -18,6 +18,11 @@ jobs: outputs: isWorkflowRunAllowed: ${{ steps.getWorkflowRunAllowedStatus.outputs.isWorkflowRunAllowed }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Is Current User Allowed shell: pwsh id: getWorkflowRunAllowedStatus diff --git a/.github/workflows/arm-ttk-validations.yaml b/.github/workflows/arm-ttk-validations.yaml index f56506a2018..950e26cbd0f 100644 --- a/.github/workflows/arm-ttk-validations.yaml +++ b/.github/workflows/arm-ttk-validations.yaml @@ -18,6 +18,11 @@ jobs: mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }} createUiChanged: ${{ steps.step1.outputs.createUiChanged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 10 @@ -35,7 +40,7 @@ jobs: exit 1 } - - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 id: publishGithubPackage name: Run ARM-TTK if: ${{ success() && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }} diff --git a/.github/workflows/aws-s3-bundle-update.yaml b/.github/workflows/aws-s3-bundle-update.yaml index 3918a7de569..b8812859d0e 100644 --- a/.github/workflows/aws-s3-bundle-update.yaml +++ b/.github/workflows/aws-s3-bundle-update.yaml @@ -31,15 +31,20 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0 with: app-id: ${{ secrets.APPLICATION_ID }} private-key: ${{ secrets.APPLICATION_PRIVATE_KEY }} - name: Checkout PR branch with sparse checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: token: ${{ steps.generate_token.outputs.token }} ref: ${{ github.event.pull_request.head.ref }} diff --git a/.github/workflows/checkAutomatedPR.yaml b/.github/workflows/checkAutomatedPR.yaml index f7ce6468991..33eb042ef14 100644 --- a/.github/workflows/checkAutomatedPR.yaml +++ b/.github/workflows/checkAutomatedPR.yaml @@ -16,6 +16,11 @@ jobs: outputs: isAutomatedPR: ${{ steps.ValidateAutomatedPR.outputs.isAutomatedPR }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - shell: pwsh id: ValidateAutomatedPR run: | diff --git a/.github/workflows/checkPRContentChange.yaml b/.github/workflows/checkPRContentChange.yaml index 307fab2b3a6..5e34188d22a 100644 --- a/.github/workflows/checkPRContentChange.yaml +++ b/.github/workflows/checkPRContentChange.yaml @@ -26,6 +26,11 @@ jobs: outputs: hasContentPackageChange: ${{ steps.changesInPR.outputs.hasContentPackageChange }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/checkSkipPackagingInfo.yaml b/.github/workflows/checkSkipPackagingInfo.yaml index 411e208e2f2..9052347cc00 100644 --- a/.github/workflows/checkSkipPackagingInfo.yaml +++ b/.github/workflows/checkSkipPackagingInfo.yaml @@ -22,6 +22,11 @@ jobs: outputs: isPackagingRequired: ${{ steps.getPackagingSkipStatus.outputs.isPackagingRequired }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 18858f8dc00..40ab849ea7f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,12 +37,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +58,7 @@ jobs: # ℹ️ Setup DotNet Versions to building C# projects - name: Setup DotNet Versions - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: | 6.0.x @@ -64,7 +69,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -78,4 +83,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 diff --git a/.github/workflows/content-validations.yaml b/.github/workflows/content-validations.yaml index e8be222a40a..353b8662dcc 100644 --- a/.github/workflows/content-validations.yaml +++ b/.github/workflows/content-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml index 0aa38dbf804..18f6090f4f4 100644 --- a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml +++ b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml @@ -27,6 +27,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 @@ -45,12 +50,12 @@ jobs: persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token. fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. - name: Install python - uses: actions/setup-python@v3 + uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4 with: python-version: '3.x' architecture: 'x64' - name: Install yamale package - uses: BSFishy/pip-action@v1 + uses: step-security/pip-action@4eec757caa412aae0b24a95bd26e1a2f20805087 # v1.0.0 with: packages: | yamale @@ -84,14 +89,14 @@ jobs: echo "Arm templates were changed. Changes were committed" fi - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master if: ${{ env.armTemplatesChanged == 'true' }} with: github_token: ${{ steps.generate_token.outputs.token }} repository: ${{github.event.pull_request.head.repo.full_name}} branch: ${{ github.head_ref }} - name: Add comment - uses: mshick/add-pr-comment@v1 + uses: step-security/add-pr-comment@7e5d2dd3955e34b109b939fa0b654ea502caf590 # v2.8.4 if: ${{ env.armTemplatesChanged == 'true' }} with: message: | diff --git a/.github/workflows/data-connector-validations.yaml b/.github/workflows/data-connector-validations.yaml index ad1acdcd57c..60b5e076ae9 100644 --- a/.github/workflows/data-connector-validations.yaml +++ b/.github/workflows/data-connector-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 27c8f0b876e..a862f3361d7 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,11 +14,16 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Need HEAD and parent for git diff - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 with: dotnet-version: ${{ env.dotnetSdkVersion }} - name: Run Detection template structure validation tests diff --git a/.github/workflows/detection-validations.yaml b/.github/workflows/detection-validations.yaml index fde699c62c8..d3d9f95c609 100644 --- a/.github/workflows/detection-validations.yaml +++ b/.github/workflows/detection-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/documents-link-validation.yaml b/.github/workflows/documents-link-validation.yaml index f5f3ed46224..4ba663f4ead 100644 --- a/.github/workflows/documents-link-validation.yaml +++ b/.github/workflows/documents-link-validation.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/getSolutionName.yaml b/.github/workflows/getSolutionName.yaml index 9bed68070ea..ff8ca15d7ec 100644 --- a/.github/workflows/getSolutionName.yaml +++ b/.github/workflows/getSolutionName.yaml @@ -17,6 +17,11 @@ jobs: outputs: sName: "${{ steps.getSolutionName.outputs.solutionName }}" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/hyperlinkValidator.yaml b/.github/workflows/hyperlinkValidator.yaml index 4fe751bba2f..26ca08c92a2 100644 --- a/.github/workflows/hyperlinkValidator.yaml +++ b/.github/workflows/hyperlinkValidator.yaml @@ -17,6 +17,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/json-syntax-validation.yaml b/.github/workflows/json-syntax-validation.yaml index 8cbc34d7857..effefc95390 100644 --- a/.github/workflows/json-syntax-validation.yaml +++ b/.github/workflows/json-syntax-validation.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/kql-validations.yaml b/.github/workflows/kql-validations.yaml index d45e408ba20..3d7bd094d0a 100644 --- a/.github/workflows/kql-validations.yaml +++ b/.github/workflows/kql-validations.yaml @@ -14,11 +14,16 @@ jobs: dotnetSdkVersion: 6.0.x PRNUM: ${{ github.event.pull_request.number }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Need HEAD and parent for git diff - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 with: dotnet-version: ${{ env.dotnetSdkVersion }} - name: Run KQL Validation tests diff --git a/.github/workflows/logo-validation.yaml b/.github/workflows/logo-validation.yaml index d56b9f811fb..0ffbb313050 100644 --- a/.github/workflows/logo-validation.yaml +++ b/.github/workflows/logo-validation.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/neworexistingsolution.yaml b/.github/workflows/neworexistingsolution.yaml index 735024c21a7..1821314370b 100644 --- a/.github/workflows/neworexistingsolution.yaml +++ b/.github/workflows/neworexistingsolution.yaml @@ -29,6 +29,11 @@ jobs: solutionOfferId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionOfferId }}" solutionPublisherId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionPublisherId }}" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/non-ascii-validations.yaml b/.github/workflows/non-ascii-validations.yaml index bea8a411e8f..bb237c6b26c 100644 --- a/.github/workflows/non-ascii-validations.yaml +++ b/.github/workflows/non-ascii-validations.yaml @@ -14,11 +14,16 @@ jobs: buildConfiguration: Release dotnetSdkVersion: 3.1.401 steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Need HEAD and parent for git diff - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 with: dotnet-version: ${{ env.dotnetSdkVersion }} - name: Run Non-Ascii validation tests diff --git a/.github/workflows/package-command.yaml b/.github/workflows/package-command.yaml index 3f23189dee0..979a84db1d1 100644 --- a/.github/workflows/package-command.yaml +++ b/.github/workflows/package-command.yaml @@ -27,6 +27,11 @@ jobs: is-automated-pr: ${{ steps.checkAutomatedPR.outputs.isAutomatedPR }} package-created: ${{ steps.validateAndCreatePackage.outputs.isCreatePackage }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Validate inputs run: | if [ -z "${{ env.BRANCH_NAME }}" ]; then diff --git a/.github/workflows/playbook-validations.yaml b/.github/workflows/playbook-validations.yaml index cbdf7aad1ec..b5d07de8d56 100644 --- a/.github/workflows/playbook-validations.yaml +++ b/.github/workflows/playbook-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/pullRequestStatus.yaml b/.github/workflows/pullRequestStatus.yaml index bfcd287bc52..22aab39b236 100644 --- a/.github/workflows/pullRequestStatus.yaml +++ b/.github/workflows/pullRequestStatus.yaml @@ -14,6 +14,11 @@ jobs: outputs: isPullRequestMerged: ${{ steps.getPullRequestStatus.outputs.isPullRequestMerged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Get Pull Request Status shell: pwsh id: getPullRequestStatus diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml index 8bef88ff33c..634558f39c2 100644 --- a/.github/workflows/runAsimSchemaAndDataTesters.yaml +++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml @@ -43,6 +43,11 @@ jobs: outputs: approved: ${{ steps.check-approval.outputs.approved }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Check if PR needs approval id: check-approval run: | @@ -195,8 +200,13 @@ jobs: if: needs.security-gate.outputs.approved == 'true' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout pull request branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{github.event.pull_request.head.sha}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -216,7 +226,7 @@ jobs: exit 1 fi - name: Set up Python - uses: actions/setup-python@v2 + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: '3.x' - name: Install dependencies @@ -246,8 +256,13 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout pull request branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{github.event.pull_request.head.sha}} repository: ${{github.event.pull_request.head.repo.full_name}} @@ -267,7 +282,7 @@ jobs: exit 1 fi - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: '3.x' - name: Install dependencies @@ -279,7 +294,7 @@ jobs: pip install azure-monitor-ingestion pip install azure-core - name: Login to Azure Public Cloud - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -307,8 +322,13 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout pull request branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -316,7 +336,7 @@ jobs: fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. - name: Login to Azure Public Cloud with AzPowershell - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -338,7 +358,7 @@ jobs: exit 1 fi - name: Run ASIM Schema and Data tests PowerShell script - uses: azure/powershell@v2 + uses: azure/powershell@53dd145408794f7e80f97cfcca04155c85234709 # v2.0.0 with: inlineScript: | $filePath = ".script/tests/asimParsersTest/runAsimTesters.ps1" @@ -371,8 +391,13 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout pull request branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.event.pull_request.head.sha }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -392,7 +417,7 @@ jobs: exit 1 fi - name: Setup Python - uses: actions/setup-python@v2 + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: '3.x' - name: Install dependencies @@ -402,7 +427,7 @@ jobs: pip install azure-identity pip install azure-monitor-query - name: Login to Azure Public Cloud - uses: azure/login@v2 + uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 with: client-id: ${{ secrets.AZURE_ASIM_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} diff --git a/.github/workflows/sample-data-validation.yaml b/.github/workflows/sample-data-validation.yaml index 6ce82b95f18..9682cec29cd 100644 --- a/.github/workflows/sample-data-validation.yaml +++ b/.github/workflows/sample-data-validation.yaml @@ -18,10 +18,15 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/slash-command-armttk.yaml b/.github/workflows/slash-command-armttk.yaml index 6a9e01fb620..3181b17081f 100644 --- a/.github/workflows/slash-command-armttk.yaml +++ b/.github/workflows/slash-command-armttk.yaml @@ -19,9 +19,14 @@ jobs: mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }} createUiChanged: ${{ steps.step1.outputs.createUiChanged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Get PR details and validate id: get-pr - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const { data: pr } = await github.rest.pulls.get({ @@ -64,7 +69,7 @@ jobs: exit 1 } - - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 + - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0 id: publishGithubPackage name: Run ARM-TTK if: ${{ steps.get-pr.outputs.is_fork == 'false' && success() && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }} diff --git a/.github/workflows/slash-command-dispatch.yaml b/.github/workflows/slash-command-dispatch.yaml index f2162a8651a..7f66698ec3f 100644 --- a/.github/workflows/slash-command-dispatch.yaml +++ b/.github/workflows/slash-command-dispatch.yaml @@ -38,6 +38,11 @@ jobs: needs.pull-request-status.outputs.isPullRequestMerged == 'False' && !github.event.pull_request.head.repo.fork steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate GitHub App token id: generate_token uses: actions/create-github-app-token@333678481b1f02ee31fa1443aba4f1f7cb5b08b5 # v2.0.0 diff --git a/.github/workflows/solution-validations.yaml b/.github/workflows/solution-validations.yaml index 271fd94c7f0..7e1b4ef9ced 100644 --- a/.github/workflows/solution-validations.yaml +++ b/.github/workflows/solution-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/solutionIntegration.yaml b/.github/workflows/solutionIntegration.yaml index 225a505dcfc..2de8acf7577 100644 --- a/.github/workflows/solutionIntegration.yaml +++ b/.github/workflows/solutionIntegration.yaml @@ -19,8 +19,13 @@ jobs: name: Solution Integration Testing - Testim.io runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout pull request branch - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} @@ -64,7 +69,7 @@ jobs: "https://dev.azure.com/msazure/One/_apis/git/repositories/Sentinel-CATUtilities/items?path=/SolutionIntegrationTesting/config.json&api-version=6.0" - name: Setup Python Environment - uses: actions/setup-python@v2 + uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: '3.x' diff --git a/.github/workflows/validateClassicAppInsights.yaml b/.github/workflows/validateClassicAppInsights.yaml index 99de47bcc91..d6b6eff8154 100644 --- a/.github/workflows/validateClassicAppInsights.yaml +++ b/.github/workflows/validateClassicAppInsights.yaml @@ -22,6 +22,11 @@ jobs: if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/validateFieldTypes.yaml b/.github/workflows/validateFieldTypes.yaml index 59f5a03c241..52ab99c66bc 100644 --- a/.github/workflows/validateFieldTypes.yaml +++ b/.github/workflows/validateFieldTypes.yaml @@ -21,6 +21,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/validateVersionChangedInDetections.yml b/.github/workflows/validateVersionChangedInDetections.yml index 6e2beb51002..97c23f1bb81 100644 --- a/.github/workflows/validateVersionChangedInDetections.yml +++ b/.github/workflows/validateVersionChangedInDetections.yml @@ -19,7 +19,12 @@ jobs: # check out and run the script steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v1 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0 - name: Check that template version was updated run: bash .script/checkThatTemplatesVersionWasChanged.sh diff --git a/.github/workflows/workbook-metadata-validations.yaml b/.github/workflows/workbook-metadata-validations.yaml index 22e81f122f6..f6ce33f8ff2 100644 --- a/.github/workflows/workbook-metadata-validations.yaml +++ b/.github/workflows/workbook-metadata-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/workbook-template-validations.yaml b/.github/workflows/workbook-template-validations.yaml index 04536ec962c..f293197102d 100644 --- a/.github/workflows/workbook-template-validations.yaml +++ b/.github/workflows/workbook-template-validations.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v diff --git a/.github/workflows/yaml-syntax-validation.yaml b/.github/workflows/yaml-syntax-validation.yaml index 364f8a279b7..7a9eb68bf81 100644 --- a/.github/workflows/yaml-syntax-validation.yaml +++ b/.github/workflows/yaml-syntax-validation.yaml @@ -18,7 +18,12 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 2 # Only need HEAD and parent for git diff - run: npm install -g npm@6.14.18;which npm;npm -v