From a6c8cdfc79c67fa8392ee84c4a05e591eb02d48f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 25 Jun 2024 02:16:34 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/codeql.yml | 5 +++++ .github/workflows/deny.yml | 5 +++++ .github/workflows/format.yml | 10 ++++++++++ .github/workflows/integration.yml | 5 +++++ .github/workflows/main.yml | 5 +++++ .github/workflows/oss-fuzz.yml | 5 +++++ .github/workflows/scorecard.yml | 5 +++++ .github/workflows/unittest.yml | 5 +++++ 8 files changed, 45 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5be63d4..1f7c117 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,6 +40,11 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index c3d0fd9..8dff79d 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -21,6 +21,11 @@ jobs: continue-on-error: ${{ matrix.checks == 'sources' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: git config --global http.postBuffer 524288000 - run: git config --global http.sslVerify "false" diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index c0032b1..a401132 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -18,6 +18,11 @@ jobs: name: Clippy runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -57,6 +62,11 @@ jobs: steps: # Install first since it's needed to build NASM + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Install LLVM and Clang uses: KyleMayes/install-llvm-action@82fd451e4380968e8336eefc5b8b9292a619de01 # v2.0.3 with: diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index b0f8266..3a855af 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -21,6 +21,11 @@ jobs: runs-on: [self-hosted, vtpm] steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Checkout sources - vTpm uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 316baaa..7bc0738 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,11 @@ jobs: timeout-minutes: 30 steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Checkout vTPM-Td Sources uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/oss-fuzz.yml b/.github/workflows/oss-fuzz.yml index 82b81bf..df08a57 100644 --- a/.github/workflows/oss-fuzz.yml +++ b/.github/workflows/oss-fuzz.yml @@ -7,6 +7,11 @@ jobs: permissions: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Build Fuzzers id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@c0c4b5402db632b5dbdb57831b7b357e14033ba1 # master diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 49ac85e..6b5031d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/unittest.yml b/.github/workflows/unittest.yml index 433998c..39fcf9a 100644 --- a/.github/workflows/unittest.yml +++ b/.github/workflows/unittest.yml @@ -23,6 +23,11 @@ jobs: timeout-minutes: 30 steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7