ci: [StepSecurity] Harden GitHub Actions (#338)

Signed-off-by: StepSecurity Bot <[email protected]>
open-amt-cloud-toolkit · May 31, 2024 · 020a7ad · 020a7ad
1 parent 0933cb9
commit 020a7ad
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,6 +11,11 @@ jobs:
     name: runner / formatting
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - name: Format
@@ -22,10 +27,15 @@ jobs:
     name: runner / golangci-lint
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: Check out code into the Go module directory
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
+        uses: reviewdog/action-golangci-lint@00311c26a97213f93f2fd3a3524d66762e956ae0 # v2.6.1
         with:
           fail_on_error: true
           golangci_lint_flags: "--config=.github/.golangci.yml ./..."
@@ -34,8 +44,13 @@ jobs:
     name: runner / yamllint
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-      - uses: reviewdog/action-yamllint@v1
+      - uses: reviewdog/action-yamllint@8d79c3d034667db2792e328936811ed44953d691 # v1.14.0
         with:
           fail_on_error: true
           reporter: github-pr-review
@@ -45,8 +60,13 @@ jobs:
     name: runner / dotenv-linter
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
-      - uses: dotenv-linter/action-dotenv-linter@v2
+      - uses: dotenv-linter/action-dotenv-linter@d92c8e455691d7a4d4e1d830081b0a39e4c34b88 # v2.21.0
         with:
           reporter: github-pr-review
   tests:
@@ -57,6 +77,11 @@ jobs:
         go-version: [1.20.x, 1.21.x, 1.22.x]
         os: [windows-2019, windows-2022, ubuntu-22.04, ubuntu-20.04]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+permissions:
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest