[PAN-1885] Spike to evaluate hardened agents (#8)

* feature: hardened agents

.github/actions/install-poetry/action.yml

@@ -4,6 +4,16 @@ description: 'Set up Python and install Poetry'
 runs:
   using: composite
   steps:
+    - uses: step-security/harden-runner@v2
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          files.pythonhosted.org:443
+          github.com:443
+          install.python-poetry.org:443
+          pypi.org:443  
+
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/actions/install-python-deps/action.yml

@@ -4,6 +4,16 @@ description: 'Install Python library dependencies using Poetry'
 runs:
   using: composite
   steps:
+    - uses: step-security/harden-runner@v2
+      with:
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          files.pythonhosted.org:443
+          github.com:443
+          install.python-poetry.org:443
+          pypi.org:443  
+
     - uses: pantos-io/ci-workflows/.github/actions/install-poetry@v1
 
     - name: Load cached venv

.github/workflows/python-ci.yml

@@ -20,11 +20,24 @@ on:
         type: string
         default: ""
 
+permissions:
+  contents: read
+
 jobs:
   StaticCodeAnalysis:
     name: Static Code Analysis
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443  
+      
       - uses: actions/checkout@v4
         with:
             submodules: recursive
@@ -39,6 +52,16 @@ jobs:
   Format:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443    
+      
       - uses: actions/checkout@v4
         with:
             submodules: recursive
@@ -53,6 +76,16 @@ jobs:
   Lint:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443    
+      
       - uses: actions/checkout@v4
         with:
             submodules: recursive
@@ -66,6 +99,16 @@ jobs:
   Sort:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443  
+      
       - uses: actions/checkout@v4
         with:
             submodules: recursive
@@ -80,6 +123,16 @@ jobs:
     name: Bandit
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443  
+      
       - uses: actions/checkout@v4
         with:
             submodules: recursive
@@ -104,6 +157,16 @@ jobs:
           - 5432:5432
 
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            install.python-poetry.org:443
+            pypi.org:443  
+   
       - uses: actions/checkout@v4
         with:
             submodules: recursive

.github/workflows/sonar.yml

@@ -23,6 +23,9 @@ jobs:
     timeout-minutes: 30
     if: github.event.workflow_run.conclusion == 'success'
     steps:
+      - uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
         with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}

README.md

@@ -2,6 +2,11 @@
 Collection of CI actions used by Pantos. Collections are separated by target languages.
 - Python
 
+Additional analysis:
+- Sonar
+
+GitHub runners are hardened using [Harden Runner](https://github.com/step-security/harden-runner).
+
 ## Versioning
 
 Use the following approach when introducing changes: