diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8becc9f..ba419951 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,9 @@ on: - push - pull_request +permissions: + contents: read + jobs: python-test: runs-on: ubuntu-22.04 @@ -28,6 +31,11 @@ jobs: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 0b1d2349..0d88cc69 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: docker-release: name: Docker release to Google Artifact Registry @@ -15,6 +18,11 @@ jobs: id-token: "write" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - id: checkout name: Checkout uses: actions/checkout@v6 @@ -23,7 +31,7 @@ jobs: - id: auth name: Authenticate with Google Cloud - uses: google-github-actions/auth@v3 + uses: step-security/google-github-auth@57c51210cb4d85d8a5d39dc4c576c79bd693f914 # v3.0.1 with: token_format: access_token workload_identity_provider: projects/259610024247/locations/global/workloadIdentityPools/github-actions/providers/github-actions-access @@ -31,7 +39,7 @@ jobs: access_token_lifetime: 300s - name: Login to Artifact Registry - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: us-east1-docker.pkg.dev username: oauth2accesstoken @@ -39,7 +47,7 @@ jobs: - id: docker-push-tagged name: Tag Docker image and push to Google Artifact Registry - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: push: true tags: | diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 04ebe873..db503145 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,10 +4,18 @@ on: - push - pull_request +permissions: + contents: read + jobs: node-lint: runs-on: ubuntu-22.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: persist-credentials: false @@ -24,6 +32,11 @@ jobs: matrix: python-version: ["3.13"] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: persist-credentials: false diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f00e0eb2..b0a4711d 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -7,6 +7,9 @@ on: schedule: # random HH:MM to avoid a load spike on GitHub Actions at 00:00 - cron: '25 15 * * 1' +permissions: + contents: read + jobs: semgrep: name: semgrep/ci @@ -17,6 +20,11 @@ jobs: image: returntocorp/semgrep if: (github.actor != 'dependabot[bot]') steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: persist-credentials: false