[StepSecurity] Apply security best practices

.github/workflows/AddLabel.yaml

@@ -31,6 +31,11 @@ jobs:
     needs: solutionPublisherDetail
     if: ${{ github.actor != 'dependabot[bot]' && needs.solutionPublisherDetail.outputs.solutionPublisherId != '' && !contains(fromJson(vars.INTERNAL_PUBLISHERS),needs.solutionPublisherDetail.outputs.solutionPublisherId) }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

.github/workflows/IssueComment.yml

@@ -14,6 +14,11 @@ jobs:
     permissions:
       issues: write
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      with:
+        egress-policy: audit
+
     - name: Generate a token
       id: generate_token
       uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

.github/workflows/ScanSecrets.yaml

@@ -7,11 +7,16 @@ jobs:
   Scan_Secrets_in_commit:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      with:
+        egress-policy: audit
+
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       with:
         fetch-depth: 10
     - name: Secret Scanning
-      uses: trufflesecurity/trufflehog@main
+      uses: trufflesecurity/trufflehog@6171fa9f6676edf21e15bba41f049b18399d7372 # main
       with:
         extra_args: --exclude-paths=.script/SecretScanning/Excludepathlist --only-verified

.github/workflows/addComment.yaml

@@ -18,6 +18,11 @@ jobs:
   comment:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

.github/workflows/addCommentOnPackagedPR.yaml

@@ -16,6 +16,11 @@ jobs:
       pull-requests: write
       contents: write
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      with:
+        egress-policy: audit
+
     - uses: actions/github-script@29423367f079522048aa7c63f671593b0556ffd5
       id: addComment
       with:

.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml

@@ -13,8 +13,13 @@ jobs:
     outputs:
       hasAutoDetectionComment: ${{ steps.job1.outputs.hasAutoDetectionComment }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: step-security/find-comment@1d7bf2a0c1b6802305aa3cf2e7c0e47568915caf # v4.0.0
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/addLabelOnPr.yaml

@@ -16,6 +16,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

.github/workflows/allowedWorkflowRun.yaml

@@ -18,6 +18,11 @@ jobs:
     outputs:
       isWorkflowRunAllowed: ${{ steps.getWorkflowRunAllowedStatus.outputs.isWorkflowRunAllowed }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Is Current User Allowed
         shell: pwsh
         id: getWorkflowRunAllowedStatus

.github/workflows/arm-ttk-validations.yaml

@@ -18,6 +18,11 @@ jobs:
       mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }}
       createUiChanged: ${{ steps.step1.outputs.createUiChanged }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 10
@@ -35,7 +40,7 @@ jobs:
             exit 1
           }
 
-      - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+      - uses: step-security/docker-build-push-action@a8c3d08b23f8be6aeed43eb1a14ce6fe51284438 # v6.18.0
         id: publishGithubPackage
         name: Run ARM-TTK
         if: ${{ success() && steps.step1.outputs.solutionName != '' && (steps.step1.outputs.mainTemplateChanged == 'true' || steps.step1.outputs.createUiChanged == 'true') }}

.github/workflows/aws-s3-bundle-update.yaml

@@ -31,15 +31,20 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
         with:
           app-id: ${{ secrets.APPLICATION_ID }}
           private-key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
 
       - name: Checkout PR branch with sparse checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           token: ${{ steps.generate_token.outputs.token }}
           ref: ${{ github.event.pull_request.head.ref }}

.github/workflows/checkAutomatedPR.yaml

@@ -16,6 +16,11 @@ jobs:
     outputs:
       isAutomatedPR: ${{ steps.ValidateAutomatedPR.outputs.isAutomatedPR }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - shell: pwsh
         id: ValidateAutomatedPR
         run: |

.github/workflows/checkPRContentChange.yaml

@@ -26,6 +26,11 @@ jobs:
     outputs:
       hasContentPackageChange: ${{ steps.changesInPR.outputs.hasContentPackageChange }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

.github/workflows/checkSkipPackagingInfo.yaml

@@ -22,6 +22,11 @@ jobs:
     outputs:
       isPackagingRequired: ${{ steps.getPackagingSkipStatus.outputs.isPackagingRequired }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

.github/workflows/codeql-analysis.yml

@@ -37,12 +37,17 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +58,7 @@ jobs:
 
     # ℹ️ Setup DotNet Versions to building C# projects
     - name: Setup DotNet Versions
-      uses: actions/setup-dotnet@v5
+      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
       with:
         dotnet-version: | 
           6.0.x
@@ -64,7 +69,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -78,4 +83,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1

.github/workflows/content-validations.yaml

@@ -18,7 +18,12 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml

@@ -27,6 +27,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9
@@ -45,12 +50,12 @@ jobs:
             persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token.
             fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
       - name: Install python
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
         with:
             python-version: '3.x'
             architecture: 'x64'
       - name: Install yamale package
-        uses: BSFishy/pip-action@v1
+        uses: step-security/pip-action@4eec757caa412aae0b24a95bd26e1a2f20805087 # v1.0.0
         with:
             packages: |
                 yamale
@@ -84,14 +89,14 @@ jobs:
             echo "Arm templates were changed. Changes were committed"
           fi
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         if: ${{ env.armTemplatesChanged == 'true' }}
         with:
             github_token: ${{ steps.generate_token.outputs.token }}
             repository: ${{github.event.pull_request.head.repo.full_name}}
             branch: ${{ github.head_ref }}
       - name: Add comment
-        uses: mshick/add-pr-comment@v1
+        uses: step-security/add-pr-comment@7e5d2dd3955e34b109b939fa0b654ea502caf590 # v2.8.4
         if: ${{ env.armTemplatesChanged == 'true' }}
         with:
           message: |

.github/workflows/data-connector-validations.yaml

@@ -18,7 +18,12 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/detection-template-schema-validations.yaml

@@ -14,11 +14,16 @@ jobs:
         dotnetSdkVersion: 3.1.401
         PRNUM: ${{ github.event.pull_request.number }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Need HEAD and parent for git diff
       - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }}
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
         with:
           dotnet-version: ${{ env.dotnetSdkVersion }}
       - name: Run Detection template structure validation tests

.github/workflows/detection-validations.yaml

@@ -18,7 +18,12 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/documents-link-validation.yaml

@@ -18,7 +18,12 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v

.github/workflows/getSolutionName.yaml

@@ -17,6 +17,11 @@ jobs:
     outputs:
       sName: "${{ steps.getSolutionName.outputs.solutionName }}"
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
         with:
           fetch-depth: 2

.github/workflows/hyperlinkValidator.yaml

@@ -17,6 +17,11 @@ jobs:
     if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Generate a token
         id: generate_token
         uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9

.github/workflows/json-syntax-validation.yaml

@@ -18,7 +18,12 @@ jobs:
         GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }}
         SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }}
       steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 2  # Only need HEAD and parent for git diff
       - run: npm install -g npm@6.14.18;which npm;npm -v