From 4597e1d34fa932ffe95972af1c256582954564eb Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 03:50:46 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/cicd.yml | 45 ++++++++++++++++++--------- .github/workflows/codeql-analysis.yml | 15 ++++++--- 2 files changed, 40 insertions(+), 20 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 46b75d5e..b2d24fdd 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -15,13 +15,18 @@ jobs: name: Lint runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.21 - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Install depdendencies run: | @@ -36,13 +41,18 @@ jobs: name: Unit Test runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.21 - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Install depdendencies run: | @@ -57,7 +67,7 @@ jobs: # ToDo: generate/merge coverage for tests in /cmd directory - name: Generate coverage report - uses: irongut/CodeCoverageSummary@v1.3.0 + uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0 with: filename: cobertura-coverage.xml badge: true @@ -69,14 +79,14 @@ jobs: thresholds: '50 85' - name: Add coverage PR comment - uses: marocchino/sticky-pull-request-comment@v2 + uses: step-security/sticky-pull-request-comment@d6ddd35ce6ef8c21e2a3b4697cfcc2def0c8a71c # v2.9.4 if: github.event_name == 'pull_request' with: recreate: true path: code-coverage-results.md - name: Upload coverage as artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 if: always() with: name: code-coverage @@ -90,13 +100,18 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Set up Go 1.x - uses: actions/setup-go@v2 + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 with: go-version: 1.21 - name: Check out code into the Go module directory - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Get dependencies run: | @@ -168,7 +183,7 @@ jobs: - name: Create Release if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAG_VERSION: "${{ steps.vars.outputs.version }}" @@ -181,7 +196,7 @@ jobs: - name: Upload astraconnector yaml if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: upload-astraconnector-yaml - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FILE_PATH: "./build/astra_v1_astraconnector.yaml" @@ -195,7 +210,7 @@ jobs: - name: Upload default-image manifest if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: upload-manifest - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FILE_PATH: ${{ env.MANIFEST_FILEPATH }} @@ -209,7 +224,7 @@ jobs: - name: Upload astraconnector_operator.yaml if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: upload-astraconnector-operator-yaml - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FILE_PATH: "./build/astraconnector_operator.yaml" @@ -231,7 +246,7 @@ jobs: - name: Upload astra-unified-installer.sh if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: upload-install-script - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FILE_PATH: "./build/astra-unified-installer.sh" @@ -245,7 +260,7 @@ jobs: - name: Upload example env file if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-') }} id: upload-example-install-env - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FILE_PATH: "./unified-installer/install-example-config.env" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f4aa80c5..375d0635 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,17 +37,22 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set Go version - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '1.22' # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +77,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1