From 54f313941ae024bcfca80615b64f2a62f9625523 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 20 Mar 2025 12:50:33 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/pr_workflow.yml | 12 ++++++++++-- .github/workflows/release.yml | 9 +++++++-- .github/workflows/test_and_build.yml | 18 ++++++++++++++---- .github/workflows/update-gradle-wrapper.yml | 9 +++++++-- 4 files changed, 38 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pr_workflow.yml b/.github/workflows/pr_workflow.yml index acebf46a..b6a73d7f 100644 --- a/.github/workflows/pr_workflow.yml +++ b/.github/workflows/pr_workflow.yml @@ -5,13 +5,21 @@ name: Testing For PRs on: [ pull_request ] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index db0b471f..37f3ba65 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,11 +20,16 @@ jobs: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" PRERELEASE: "${{ github.event.inputs.prerelease }}" steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/test_and_build.yml b/.github/workflows/test_and_build.yml index 19b82ea2..3c56015d 100644 --- a/.github/workflows/test_and_build.yml +++ b/.github/workflows/test_and_build.yml @@ -11,9 +11,14 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: 17 distribution: temurin @@ -26,11 +31,16 @@ jobs: GITHUB_USER: "gocd-contrib" GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: java-version: 17 distribution: temurin diff --git a/.github/workflows/update-gradle-wrapper.yml b/.github/workflows/update-gradle-wrapper.yml index dd37510e..0cdecdf0 100644 --- a/.github/workflows/update-gradle-wrapper.yml +++ b/.github/workflows/update-gradle-wrapper.yml @@ -10,9 +10,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Update Gradle Wrapper - uses: gradle-update/update-gradle-wrapper-action@v2 + uses: gradle-update/update-gradle-wrapper-action@512b1875f3b6270828abfe77b247d5895a2da1e5 # v2.1.0 with: labels: dependencies