From ca98d5229ebf91ea1c17b4335a1c832ce066e1fe Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 00:52:37 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/auto-merge-pr.yml | 2 +- .github/workflows/ci.yml | 8 ++++---- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/manual-tag.yml | 9 +++++++-- .github/workflows/nightly.yml | 2 +- .github/workflows/pr-label.yml | 2 +- .github/workflows/release.yml | 8 ++++---- .github/workflows/update-cli.yml | 7 +++++-- 8 files changed, 24 insertions(+), 16 deletions(-) diff --git a/.github/workflows/auto-merge-pr.yml b/.github/workflows/auto-merge-pr.yml index 9b126e94..d215fd2d 100644 --- a/.github/workflows/auto-merge-pr.yml +++ b/.github/workflows/auto-merge-pr.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: contains(github.head_ref, 'feature/update_cli') steps: - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4d6e7880..145ea6f7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,10 +4,10 @@ on: [ pull_request ] jobs: integration-tests: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} lfs: true @@ -22,7 +22,7 @@ jobs: run: git lfs checkout - name: Cache local Maven repository - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -30,7 +30,7 @@ jobs: ${{ runner.os }}-maven- - name: Set up JDK 11 - uses: actions/setup-java@v4.3.0 + uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 with: distribution: 'temurin' java-version: '11' diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 3ea2ede1..99bbfd66 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot-merge: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 if: ${{ github.actor == 'dependabot[bot]' }} steps: - name: Dependabot metadata diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml index 839dbb22..8fb056dc 100644 --- a/.github/workflows/manual-tag.yml +++ b/.github/workflows/manual-tag.yml @@ -7,12 +7,17 @@ on: description: 'Next release tag' required: true +permissions: + contents: read + jobs: tag-creation: - runs-on: ubuntu-latest + permissions: + contents: write # for Git to git push + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} - name: Tag diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 3b827198..73efdc65 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: jobs: delete_tag: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Delete release uses: dev-drprasad/delete-tag-and-release@8cd619d00037e4aeb781909c9a6b03940507d0da # v1.0.1 diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml index d2af87e3..00dd428e 100644 --- a/.github/workflows/pr-label.yml +++ b/.github/workflows/pr-label.yml @@ -10,7 +10,7 @@ jobs: pr-labeler: permissions: pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 18845e81..40fc3593 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,13 +34,13 @@ on: jobs: release: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 outputs: CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }} TAG_NAME: ${{ steps.set_tag_name.outputs.TAG_NAME }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} lfs: true @@ -88,7 +88,7 @@ jobs: echo "::set-output name=TAG_NAME::${{ inputs.tag }}" - name: Cache local Maven repository - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} @@ -96,7 +96,7 @@ jobs: ${{ runner.os }}-maven- - name: Set up Maven Central Repository - uses: actions/setup-java@v4.3.0 + uses: actions/setup-java@2dfa2011c5b2a0f1489bf9e433881c92c1631f88 # v4.3.0 with: java-version: '11' distribution: 'temurin' diff --git a/.github/workflows/update-cli.yml b/.github/workflows/update-cli.yml index bfa98385..f50894e1 100644 --- a/.github/workflows/update-cli.yml +++ b/.github/workflows/update-cli.yml @@ -5,12 +5,15 @@ on: repository_dispatch: types: [cli-version-update] +permissions: + contents: read + jobs: update_cli: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: lfs: true