diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml index 1e10b387..dca5bd91 100644 --- a/.github/workflows/cflite_pr.yml +++ b/.github/workflows/cflite_pr.yml @@ -10,6 +10,7 @@ on: permissions: read-all jobs: hardening: + name: Harden runner uses: ./.github/workflows/hardening.yaml PR: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c55ab259..05929b28 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,9 +24,13 @@ permissions: contents: read jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml analyze: name: Analyze runs-on: ubuntu-latest + needs: hardening permissions: actions: read contents: read @@ -40,11 +44,6 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 diff --git a/.github/workflows/delete-artifacts.yml b/.github/workflows/delete-artifacts.yml index 92fbfda5..7b77c488 100644 --- a/.github/workflows/delete-artifacts.yml +++ b/.github/workflows/delete-artifacts.yml @@ -3,8 +3,12 @@ on: pull_request: types: [closed] jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml delete-branch: name: Delete artifact branch + needs: hardening runs-on: ubuntu-latest steps: - name: Checkout target branch diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3567963b..b98f0181 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -13,14 +13,13 @@ permissions: contents: read jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml dependency-review: runs-on: ubuntu-latest + needs: hardening steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: 'Checkout Repository' uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: 'Dependency Review' diff --git a/.github/workflows/hardening.yaml b/.github/workflows/hardening.yaml index d1a09947..e497494d 100644 --- a/.github/workflows/hardening.yaml +++ b/.github/workflows/hardening.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: # Make sure we have some code to test - - name: Run harden runner + - name: Harden runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: block diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index d7cd93c0..865378f5 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -9,6 +9,7 @@ jobs: hardening: + name: Harden runner uses: ./.github/workflows/hardening.yaml pre-release: needs: hardening diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b68a8f37..fb2ae1e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,8 +9,12 @@ contents: read jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml tagged-release: name: "Tagged Release" + needs: hardening permissions: contents: write runs-on: "ubuntu-latest" diff --git a/.github/workflows/run-tests-for-patches.yaml b/.github/workflows/run-tests-for-patches.yaml index d4f31753..1a2234ab 100644 --- a/.github/workflows/run-tests-for-patches.yaml +++ b/.github/workflows/run-tests-for-patches.yaml @@ -19,6 +19,7 @@ permissions: contents: read jobs: hardening: + name: Harden runner uses: ./.github/workflows/hardening.yaml call-run-tests: needs: hardening diff --git a/.github/workflows/run-tests-generate-output.yaml b/.github/workflows/run-tests-generate-output.yaml index 12034af8..5b2bf232 100644 --- a/.github/workflows/run-tests-generate-output.yaml +++ b/.github/workflows/run-tests-generate-output.yaml @@ -29,12 +29,6 @@ jobs: contents: write pull-requests: write steps: - # Make sure we have some code to diff. - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - name: Checkout repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Create tmp branch for artifacts and get parent and object ref diff --git a/.github/workflows/run-tests.yaml b/.github/workflows/run-tests.yaml index 8224ba88..3934c74e 100644 --- a/.github/workflows/run-tests.yaml +++ b/.github/workflows/run-tests.yaml @@ -5,8 +5,12 @@ on: permissions: contents: read jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml runtests: name: Run Tests + needs: hardening runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index dd1bc046..99e9136b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -12,21 +12,19 @@ on: permissions: read-all jobs: + hardening: + name: Harden runner + uses: ./.github/workflows/hardening.yaml analysis: name: Scorecard analysis + needs: hardening runs-on: ubuntu-latest permissions: # Needed if using Code scanning alerts security-events: write # Needed for GitHub OIDC token if publish_results is true id-token: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: "Checkout code" uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: