From ef1453702f64acab390b439d381a038fe6aa2d33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Gr=C3=B8ndahl?= Date: Wed, 1 Apr 2026 09:36:53 +0200 Subject: [PATCH] ci: add harden-runner to all GitHub Actions workflows Add step-security/harden-runner v2.16.1 as the first step in every job across all 14 workflow files to improve supply chain security. --- .github/workflows/binary_provenance.yml | 5 +++ .github/workflows/claude-pr-review.yml | 10 ++++++ .github/workflows/daily-cli-tests.yml | 10 ++++++ .github/workflows/docker.yml | 5 +++ .github/workflows/helm-chart.yml | 5 +++ .github/workflows/init_kosli.yml | 5 +++ .github/workflows/install-script-tests.yml | 10 ++++++ .github/workflows/main.yml | 10 ++++++ .github/workflows/never_alone_trail.yml | 5 +++ .github/workflows/publish_branch_docs.yml | 5 +++ .github/workflows/publish_docs.yml | 5 +++ .github/workflows/release.yml | 40 ++++++++++++++++++++++ .github/workflows/test.yml | 20 +++++++++++ .github/workflows/upload-cli-layer.yml | 5 +++ 14 files changed, 140 insertions(+) diff --git a/.github/workflows/binary_provenance.yml b/.github/workflows/binary_provenance.yml index 5047460dc..2365391ab 100644 --- a/.github/workflows/binary_provenance.yml +++ b/.github/workflows/binary_provenance.yml @@ -34,6 +34,11 @@ jobs: matrix: artifact: ${{fromJson(inputs.artifacts)}} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 - uses: actions/download-artifact@v8 diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml index ace37e560..09a0f0d58 100644 --- a/.github/workflows/claude-pr-review.yml +++ b/.github/workflows/claude-pr-review.yml @@ -26,6 +26,11 @@ jobs: contents: read pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v6 with: @@ -74,6 +79,11 @@ jobs: contents: read pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v6 with: diff --git a/.github/workflows/daily-cli-tests.yml b/.github/workflows/daily-cli-tests.yml index 0a04c2772..9546f382d 100644 --- a/.github/workflows/daily-cli-tests.yml +++ b/.github/workflows/daily-cli-tests.yml @@ -11,6 +11,11 @@ jobs: outputs: trail_name: ${{ steps.prep.outputs.trail_name }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 - name: Prepare @@ -61,6 +66,11 @@ jobs: ] if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Slack Notification on Failure uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main with: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 84144dde9..850dfb8ce 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -58,6 +58,11 @@ jobs: packages: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: fetch-depth: 3 diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 88e0e2b7a..d2a8d55c4 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -16,6 +16,11 @@ jobs: contents: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Generate token id: generate_token uses: actions/create-github-app-token@v3 diff --git a/.github/workflows/init_kosli.yml b/.github/workflows/init_kosli.yml index d2d9b8f3b..f185c6ded 100644 --- a/.github/workflows/init_kosli.yml +++ b/.github/workflows/init_kosli.yml @@ -39,6 +39,11 @@ jobs: pull-requests: read steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/install-script-tests.yml b/.github/workflows/install-script-tests.yml index c3d1bbba6..f4efeeb16 100644 --- a/.github/workflows/install-script-tests.yml +++ b/.github/workflows/install-script-tests.yml @@ -24,6 +24,11 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v6 @@ -38,6 +43,11 @@ jobs: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v6 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index be1dacc7b..075d1edd1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,11 @@ jobs: checkout_ref: ${{ steps.prep.outputs.checkout_ref }} report_to_kosli: ${{ steps.prep.outputs.report_to_kosli }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: ref: ${{ github.event.pull_request.head.sha || github.sha }} @@ -130,6 +135,11 @@ jobs: ] if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Slack Notification on Failure uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main with: diff --git a/.github/workflows/never_alone_trail.yml b/.github/workflows/never_alone_trail.yml index 26586a865..0867f05a9 100644 --- a/.github/workflows/never_alone_trail.yml +++ b/.github/workflows/never_alone_trail.yml @@ -40,6 +40,11 @@ jobs: pull-requests: read steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/publish_branch_docs.yml b/.github/workflows/publish_branch_docs.yml index ff6767d2b..6980d2322 100644 --- a/.github/workflows/publish_branch_docs.yml +++ b/.github/workflows/publish_branch_docs.yml @@ -10,6 +10,11 @@ jobs: publish: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 - name: Generate json diff --git a/.github/workflows/publish_docs.yml b/.github/workflows/publish_docs.yml index 33f401f45..15685705a 100644 --- a/.github/workflows/publish_docs.yml +++ b/.github/workflows/publish_docs.yml @@ -14,6 +14,11 @@ jobs: publish: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 # Deploy to local repo diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d31f6a475..5c2aba652 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,11 @@ jobs: trail_name: ${{ steps.prep.outputs.trail_name }} trail_template_file: ${{ steps.prep.outputs.trail_template_file }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 - name: Get tag @@ -110,6 +115,11 @@ jobs: outputs: artifacts: ${{ steps.prepare-artifacts-list.outputs.artifacts }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v6 with: @@ -187,6 +197,11 @@ jobs: name: Bump Homebrew formula runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: mislav/bump-homebrew-formula-action@v4 if: ${{ !contains(github.ref, '-') }} # skip prereleases with: @@ -200,6 +215,11 @@ jobs: needs: [goreleaser, pre-build] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v6 with: @@ -237,6 +257,11 @@ jobs: needs: [pre-build, goreleaser] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Repository Dispatch uses: peter-evans/repository-dispatch@v4 with: @@ -249,6 +274,11 @@ jobs: needs: [pre-build, goreleaser] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Repository Dispatch uses: peter-evans/repository-dispatch@v4 with: @@ -261,6 +291,11 @@ jobs: needs: [pre-build, goreleaser] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Repository Dispatch uses: peter-evans/repository-dispatch@v4 with: @@ -300,6 +335,11 @@ jobs: ] if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - name: Slack Notification on Failure uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index cd57fbbb4..6488bb7d2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -73,6 +73,11 @@ jobs: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: ref: ${{ inputs.checkout_ref || github.sha }} @@ -114,6 +119,11 @@ jobs: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: fetch-depth: 0 # needed for some tests referencing older commits @@ -185,6 +195,11 @@ jobs: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: ref: ${{ inputs.checkout_ref || github.sha }} @@ -224,6 +239,11 @@ jobs: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 with: ref: ${{ inputs.checkout_ref || github.sha }} diff --git a/.github/workflows/upload-cli-layer.yml b/.github/workflows/upload-cli-layer.yml index 195bafc54..1edaeeb52 100644 --- a/.github/workflows/upload-cli-layer.yml +++ b/.github/workflows/upload-cli-layer.yml @@ -20,6 +20,11 @@ jobs: id-token: write contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1 + with: + egress-policy: audit + - uses: actions/checkout@v6 - name: Configure AWS credentials