From 0b7247bf2c6db1811b611cc96706f9f107d61c29 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Fri, 10 Jan 2025 02:32:04 -0800
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#94)

---
 .../reusable-build-container-images.yml         | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/reusable-build-container-images.yml b/.github/workflows/reusable-build-container-images.yml
index 368594f..8467187 100644
--- a/.github/workflows/reusable-build-container-images.yml
+++ b/.github/workflows/reusable-build-container-images.yml
@@ -36,11 +36,16 @@ jobs:
           - context: ./scripts/generators/k8s
             name: generators-k8s
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
         with:
           images: ${{ inputs.registry_ghcr }}-${{ matrix.image.name }} # e.g. ghcr.io/cisco-open/app-simulator-loaders-curl
           # build nightly releases on schedule
@@ -54,19 +59,19 @@ jobs:
 
       - name: Log into GitHub Container Registry
         if: ${{ inputs.push }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: cisco-service
           password: ${{ secrets.PACKAGE_PUBLICATION_TOKEN }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
         with:
           platforms: arm64, amd64
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
       - name: Build and push images
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: ${{ matrix.image.context }}
           platforms: linux/amd64,linux/arm64