diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 49f1851ae..a1ed6f238 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '37 20 * * 6' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: analyze: name: Analyze @@ -37,12 +40,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@4238421316c33d73aeea2801274dd286f157c2bb with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +61,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@4238421316c33d73aeea2801274dd286f157c2bb # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +75,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@4238421316c33d73aeea2801274dd286f157c2bb diff --git a/.github/workflows/contracts-testing.yml b/.github/workflows/contracts-testing.yml index b209a2f16..553df68c9 100644 --- a/.github/workflows/contracts-testing.yml +++ b/.github/workflows/contracts-testing.yml @@ -9,19 +9,27 @@ on: branches: - "*" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: test: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Setup Node.js environment - uses: actions/setup-node@v3.5.1 + uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 with: node-version: 16.x - - uses: actions/checkout@v3 + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 - name: Cache node modules - uses: actions/cache@v3.0.11 + uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 env: cache-name: cache-node-modules with: @@ -52,7 +60,7 @@ jobs: working-directory: contracts - name: Upload a build artifact - uses: actions/upload-artifact@v3.1.1 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb with: name: code-coverage-report path: contracts/coverage diff --git a/.github/workflows/deploy-bots.yml b/.github/workflows/deploy-bots.yml index 883854c89..939f42cba 100644 --- a/.github/workflows/deploy-bots.yml +++ b/.github/workflows/deploy-bots.yml @@ -1,13 +1,21 @@ on: [workflow_dispatch] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: build-deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-python@v4 - - uses: aws-actions/setup-sam@v2 - - uses: aws-actions/configure-aws-credentials@v1 + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + - uses: actions/setup-python@13ae5bb136fac2878aff31522b9efb785519f984 + - uses: aws-actions/setup-sam@8dbd164261576216897020cd750587e50e4d2136 + - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 with: aws-access-key-id: ${{ secrets.STAGING_AWS_ACCESS_KEY }} aws-secret-access-key: ${{ secrets.STAGING_AWS_SECRET_KEY }}