From 21eb505b7bedd28106ae58e62122497dd3d737e3 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 3 Feb 2025 07:46:12 -0800 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#173) Signed-off-by: StepSecurity Bot --- .github/workflows/codeql-analysis.yml | 20 ++++++++++++++++---- .github/workflows/go.yml | 7 +++++-- .github/workflows/release.yaml | 4 ++-- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5220aaf..ac64d22 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -9,8 +9,15 @@ on: schedule: - cron: '0 15 * * 5' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest @@ -24,8 +31,13 @@ jobs: # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection steps: + - name: Harden Runner + uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -38,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -49,7 +61,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -63,4 +75,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 4d8598c..be345af 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -1,13 +1,16 @@ name: Go on: [push, pull_request] +permissions: + contents: read + jobs: build: name: Build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: 'stable' diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 823cf66..1a2c22c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -17,14 +17,14 @@ jobs: goos: [freebsd, linux, windows] goarch: [amd64, arm64] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set APP_VERSION env run: echo APP_VERSION=$(echo ${GITHUB_REF} | rev | cut -d'/' -f 1 | rev ) >> ${GITHUB_ENV} - name: Set BUILD_TIME env run: echo BUILD_TIME=$(date) >> ${GITHUB_ENV} - - uses: wangyoucao577/go-release-action@v1 + - uses: wangyoucao577/go-release-action@481a2c1a0f1be199722e3e9b74d7199acafc30a8 # v1.53 with: github_token: ${{ secrets.GITHUB_TOKEN }} goos: ${{ matrix.goos }}