From 3b8d21115128f94cea92a3ecc81e2358a4c089be Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Tue, 4 Nov 2025 18:43:01 +0000 Subject: [PATCH 1/9] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/actions-lint.yaml | 5 +++++ .github/workflows/attach-release-assets.yaml | 5 +++++ .github/workflows/conventional-commit-release.yaml | 10 ++++++++++ .github/workflows/pr-scan.yaml | 5 +++++ 4 files changed, 25 insertions(+) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 059129c..96821ab 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -23,6 +23,11 @@ jobs: lint_validate_actions: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Checkout Actoinlint Configs diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index fde84bf..ac93eb1 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -65,6 +65,11 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Download all build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 if: inputs.artifact_file_globs != '' diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 975d282..bc2735c 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -110,6 +110,11 @@ jobs: if: github.event_name == 'pull_request' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Calculate Fetch Depth if: inputs.lint_commits id: fetch-depth @@ -195,6 +200,11 @@ jobs: major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Merge default and user input changelog types diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index d7079b4..ca78d6f 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -44,6 +44,11 @@ jobs: scan: runs-on: ${{ inputs.runs-on }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Setup shell: bash run: |- From 041e4f89f6cea0cfc3b78ad60ffd92ddbaad06f6 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:31 -0500 Subject: [PATCH 2/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/actions-lint.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index 96821ab..cefaef3 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -22,11 +22,15 @@ on: jobs: lint_validate_actions: runs-on: ubuntu-latest + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 From 917b3cdd10d531368e6458e71838be5e5d4f704d Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:33 -0500 Subject: [PATCH 3/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/attach-release-assets.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index ac93eb1..696459d 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -64,11 +64,15 @@ jobs: release_attach_assets: runs-on: ubuntu-latest if: github.event_name == 'push' && format('refs/heads/{0}', github.event.repository.default_branch) == github.ref + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Download all build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 From 5fc84ad0a617c1bf2aea6906a2ce9939f97a1e74 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:35 -0500 Subject: [PATCH 4/9] Update harden-runner: egress-policy to block and add id-token permission --- .../workflows/conventional-commit-release.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index bc2735c..26589ec 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -109,11 +109,15 @@ jobs: name: PR Title and Commits Lint if: github.event_name == 'pull_request' runs-on: ubuntu-latest + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Calculate Fetch Depth if: inputs.lint_commits @@ -199,11 +203,15 @@ jobs: additional_tags: ${{ steps.additional_tags.outputs.tags }} major_minor_tag: ${{ steps.additional_tags.outputs.major_minor_tag }} major_tag: ${{ steps.additional_tags.outputs.major_tag }} + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 From df580c696830fad152651ad919054b89a9f59b66 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:36 -0500 Subject: [PATCH 5/9] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/pr-scan.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index ca78d6f..fcaf2c3 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -43,11 +43,15 @@ on: jobs: scan: runs-on: ${{ inputs.runs-on }} + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Setup shell: bash From 279d04342aaf197276bc9464a2c06605215ed45d Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Wed, 5 Nov 2025 11:48:15 -0500 Subject: [PATCH 6/9] Update harden-runner to v2.13.2: egress-policy to block and add id-token permission --- .github/workflows/actions-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/actions-lint.yaml b/.github/workflows/actions-lint.yaml index cefaef3..4642579 100644 --- a/.github/workflows/actions-lint.yaml +++ b/.github/workflows/actions-lint.yaml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: block policy: global-allowed-endpoints-policy From 82a6b3026e70a77ff53649b04d09aac6b843f14b Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Wed, 5 Nov 2025 11:48:16 -0500 Subject: [PATCH 7/9] Update harden-runner to v2.13.2: egress-policy to block and add id-token permission --- .github/workflows/attach-release-assets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/attach-release-assets.yaml b/.github/workflows/attach-release-assets.yaml index 696459d..2e3f29d 100644 --- a/.github/workflows/attach-release-assets.yaml +++ b/.github/workflows/attach-release-assets.yaml @@ -69,7 +69,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: block policy: global-allowed-endpoints-policy From 432a5c9f876c1a05ae91745df29a2fa291c2d227 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Wed, 5 Nov 2025 11:48:18 -0500 Subject: [PATCH 8/9] Update harden-runner to v2.13.2: egress-policy to block and add id-token permission --- .github/workflows/conventional-commit-release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conventional-commit-release.yaml b/.github/workflows/conventional-commit-release.yaml index 26589ec..ccbc2d2 100644 --- a/.github/workflows/conventional-commit-release.yaml +++ b/.github/workflows/conventional-commit-release.yaml @@ -114,7 +114,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: block policy: global-allowed-endpoints-policy @@ -208,7 +208,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: block policy: global-allowed-endpoints-policy From 8ee9154b806f72c699b5c76c2f6e5242c3bd73e1 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Wed, 5 Nov 2025 11:48:20 -0500 Subject: [PATCH 9/9] Update harden-runner to v2.13.2: egress-policy to block and add id-token permission --- .github/workflows/pr-scan.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr-scan.yaml b/.github/workflows/pr-scan.yaml index fcaf2c3..57cf111 100644 --- a/.github/workflows/pr-scan.yaml +++ b/.github/workflows/pr-scan.yaml @@ -48,7 +48,7 @@ jobs: steps: - name: Harden the runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: egress-policy: block policy: global-allowed-endpoints-policy