From 0aabbc83e2f6be25a1c1aa04723bef02233ddcae Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 30 Oct 2025 17:39:28 +0000 Subject: [PATCH 1/9] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/actions-lint.yaml | 5 +++++ .github/workflows/attach-release-assets.yaml | 5 +++++ .github/workflows/conventional-commit-release.yaml | 10 ++++++++++ .github/workflows/pr-scan.yaml | 5 +++++ 4 files changed, 25 insertions(+) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 059129c..96821ab 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -23,6 +23,11 @@ jobs: lint_validate_actions: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Checkout Actoinlint Configs diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index fde84bf..ac93eb1 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -65,6 +65,11 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Download all build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: inputs.artifact_file_globs != '' diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 975d282..bc2735c 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -110,6 +110,11 @@ jobs: if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Calculate Fetch Depth if: inputs.lint_commits id: fetch-depth @@ -195,6 +200,11 @@ jobs: major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Merge default and user input changelog types diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index d7079b4..ca78d6f 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -44,6 +44,11 @@ jobs: scan: runs-on: ${{ inputs.runs-on }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Setup shell: bash run: |- From 830a0efc363595e18118f1594d7584f43bef8f53 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:18 -0500 Subject: [PATCH 2/9] Update harden-runner egress-policy from audit to block --- .github/workflows/actions-lint.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 96821ab..e40d085 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -23,10 +23,11 @@ jobs: lint_validate_actions: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 From 8276ef5be5f81bbe8350fbbd6ff0193787837e0e Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:20 -0500 Subject: [PATCH 3/9] Update harden-runner egress-policy from audit to block --- .github/workflows/attach-release-assets.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index ac93eb1..59fcc22 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -65,10 +65,11 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Download all build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 From 3ebb8b404de09bdb7a7124548c71f5ec159ea23d Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:22 -0500 Subject: [PATCH 4/9] Update harden-runner egress-policy from audit to block --- .github/workflows/conventional-commit-release.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index bc2735c..1ab4ad7 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -110,10 +110,11 @@ jobs: if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Calculate Fetch Depth if: inputs.lint_commits @@ -200,10 +201,11 @@ jobs: major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 From 69ea0329c39b217745901dc0c4cd57df09561045 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:23 -0500 Subject: [PATCH 5/9] Update harden-runner egress-policy from audit to block --- .github/workflows/pr-scan.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index ca78d6f..55e388b 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -44,10 +44,11 @@ jobs: scan: runs-on: ${{ inputs.runs-on }} steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Setup shell: bash From 5a56cf890671ce62957bc0d487e0325ce9104220 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:13 -0500 Subject: [PATCH 6/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/actions-lint.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index e40d085..cefaef3 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -22,6 +22,9 @@ on: jobs: lint_validate_actions: runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From 691890a9ee67b4b821975f3a73e6ef49f1be2655 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:14 -0500 Subject: [PATCH 7/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/attach-release-assets.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index 59fcc22..696459d 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -64,6 +64,9 @@ jobs: release_attach_assets: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From dfb55b108b8730c320b4103fc8358b30338ec434 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:16 -0500 Subject: [PATCH 8/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/conventional-commit-release.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 1ab4ad7..26589ec 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -109,6 +109,9 @@ jobs: name: PR Title and Commits Lint if: github.event_name == 'pull_request' runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -200,6 +203,9 @@ jobs: additional_tags: ${{ steps.additional_tags.outputs.tags }} major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From cd8f9073a4d21eeb5bb5eb9149b55246230cae17 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:18 -0500 Subject: [PATCH 9/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/pr-scan.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index 55e388b..fcaf2c3 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -43,6 +43,9 @@ on: jobs: scan: runs-on: ${{ inputs.runs-on }} + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1