From 7dc76c92d739bf175f36d810d2df1a82493088a1 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 23:52:26 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/e2e_test.yml | 12 ++++++++++-- .github/workflows/lint.yml | 12 ++++++++++-- .github/workflows/publish.yml | 12 ++++++++++-- .github/workflows/unit_tests.yml | 12 ++++++++++-- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.github/workflows/e2e_test.yml b/.github/workflows/e2e_test.yml index 38664030..92638897 100644 --- a/.github/workflows/e2e_test.yml +++ b/.github/workflows/e2e_test.yml @@ -2,15 +2,23 @@ name: Run End-To-End Tests on: [pull_request] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0 with: ruby-version: 3.4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 25878771..4df2768d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,15 +2,23 @@ name: Run Linters on: [pull_request] +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0 with: ruby-version: 3.4 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1f7f208a..d9072a1b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,16 +4,24 @@ on: release: types: [published] +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest environment: production steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0 with: ruby-version: 2.7 diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index d9b1261b..28dd04ad 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -2,6 +2,9 @@ name: Run Unit Tests on: [pull_request] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest @@ -10,10 +13,15 @@ jobs: ruby: ['3.0', '3.1', '3.2', '3.3', '3.4'] steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a4effe49ee8ee5b8b5091268c473a4628afb5651 # v1.245.0 with: ruby-version: ${{ matrix.ruby }} bundler-cache: true