[StepSecurity] ci: Harden GitHub Actions (#71)

* Rename CI.yml to ci.yml * Rename CD.yml to cd.yml * [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot <[email protected]> Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: StepSecurity Bot <[email protected]>
kommitters · Dec 23, 2022 · c76ef97 · c76ef97
1 parent ac44388
commit c76ef97
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/.github/workflows/CD.yml → .github/workflows/cd.yml b/.github/workflows/CD.yml → .github/workflows/cd.yml
@@ -5,6 +5,9 @@ on:
     types:
       [published]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   publish:
     name: Publish Release to HEX PM
@@ -16,12 +19,17 @@ jobs:
     env:
       HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
     steps:
-      - uses: actions/checkout@v3
-      - uses: erlef/setup-elixir@v1
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      - uses: erlef/setup-elixir@b980a5ac9b7316a23ebc16de2bb69b7c3ad731b5 # v1.15.0
         with:
           otp-version: ${{ matrix.otp }}
           elixir-version: ${{ matrix.elixir }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@c1a5de879eb890d062a85ee0252d6036480b1fe2 # v3.2.1
         with:
           path: deps
           key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }}

diff --git a/.github/workflows/CI.yml → .github/workflows/ci.yml b/.github/workflows/CI.yml → .github/workflows/ci.yml
@@ -18,12 +18,17 @@ jobs:
     env:
       MIX_ENV: test
     steps:
-      - uses: actions/checkout@v3
-      - uses: erlef/setup-elixir@v1
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      - uses: erlef/setup-elixir@b980a5ac9b7316a23ebc16de2bb69b7c3ad731b5 # v1.15.0
         with:
           otp-version: ${{ matrix.otp }}
           elixir-version: ${{ matrix.elixir }}
-      - uses: actions/cache@v3
+      - uses: actions/cache@c1a5de879eb890d062a85ee0252d6036480b1fe2 # v3.2.1
         with:
           path: deps
           key: ${{ runner.os }}-mix-${{ hashFiles(format('{0}{1}', github.workspace, '/mix.lock')) }}
@@ -48,6 +53,11 @@ jobs:
     needs: tests
     runs-on: ubuntu-20.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Set BUILD_NUMBER for Pull Request event
         if: github.event_name == 'pull_request'
         run: echo "BUILD_NUMBER=${{ github.event.pull_request.head.sha }}-PR-${{ github.event.pull_request.number }}" >> $GITHUB_ENV

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -21,6 +21,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
         with: