Merge pull request #408 from OWASP/hardening-step-security

Adding hardening on run-tests and delete-artifacts in case it is run separatly.
OWASP · Apr 17, 2024 · 21a14cf · 21a14cf
2 parents ddeee42 + f897caa
commit 21a14cf
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 23 deletions.
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
@@ -10,6 +10,7 @@ on:
 permissions: read-all
 jobs:
   hardening:
+    name: Harden runner
     uses: ./.github/workflows/hardening.yaml
   PR:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -24,9 +24,13 @@ permissions:
   contents: read
 
 jobs:
+  hardening:
+    name: Harden runner
+    uses: ./.github/workflows/hardening.yaml
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    needs: hardening
     permissions:
       actions: read
       contents: read
@@ -40,11 +44,6 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: Checkout repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 

diff --git a/.github/workflows/delete-artifacts.yml b/.github/workflows/delete-artifacts.yml
@@ -3,8 +3,12 @@ on:
   pull_request:
     types: [closed]
 jobs:
+  hardening:
+    name: Harden runner
+    uses: ./.github/workflows/hardening.yaml
   delete-branch:
     name: Delete artifact branch
+    needs: hardening
     runs-on: ubuntu-latest
     steps:
       - name: Checkout target branch

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -13,14 +13,13 @@ permissions:
   contents: read
 
 jobs:
+  hardening:
+    name: Harden runner
+    uses: ./.github/workflows/hardening.yaml
   dependency-review:
     runs-on: ubuntu-latest
+    needs: hardening
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: 'Checkout Repository'
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: 'Dependency Review'

diff --git a/.github/workflows/hardening.yaml b/.github/workflows/hardening.yaml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Make sure we have some code to test
-      - name: Run harden runner
+      - name: Harden runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: block

diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml
@@ -9,6 +9,7 @@
 
     jobs:
       hardening:
+        name: Harden runner
         uses: ./.github/workflows/hardening.yaml
       pre-release:
         needs: hardening

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,8 +9,12 @@
       contents: read
 
     jobs:
+      hardening:
+        name: Harden runner
+        uses: ./.github/workflows/hardening.yaml
       tagged-release:
         name: "Tagged Release"
+        needs: hardening
         permissions:
           contents: write
         runs-on: "ubuntu-latest"

diff --git a/.github/workflows/run-tests-for-patches.yaml b/.github/workflows/run-tests-for-patches.yaml
@@ -19,6 +19,7 @@ permissions:
   contents: read
 jobs:
   hardening:
+    name: Harden runner
     uses: ./.github/workflows/hardening.yaml
   call-run-tests:
     needs: hardening

diff --git a/.github/workflows/run-tests-generate-output.yaml b/.github/workflows/run-tests-generate-output.yaml
@@ -29,12 +29,6 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      # Make sure we have some code to diff.
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
       - name: Checkout repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Create tmp branch for artifacts and get parent and object ref

diff --git a/.github/workflows/run-tests.yaml b/.github/workflows/run-tests.yaml
@@ -5,8 +5,12 @@ on:
 permissions:
   contents: read
 jobs:
+  hardening:
+    name: Harden runner
+    uses: ./.github/workflows/hardening.yaml
   runtests:
     name: Run Tests
+    needs: hardening
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -12,21 +12,19 @@ on:
 permissions: read-all
 
 jobs:
+  hardening:
+    name: Harden runner
+    uses: ./.github/workflows/hardening.yaml
   analysis:
     name: Scorecard analysis
+    needs: hardening
     runs-on: ubuntu-latest
     permissions:
       # Needed if using Code scanning alerts
       security-events: write
       # Needed for GitHub OIDC token if publish_results is true
       id-token: write
-
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit
-
       - name: "Checkout code"
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with: