From 7e1d12c70ad3d909b568c5db0ce7e738f813b23c Mon Sep 17 00:00:00 2001 From: Ulises Gascon Date: Tue, 9 Sep 2025 22:05:51 +0200 Subject: [PATCH] feat: add harden runner in audit mode to critical workflows Similar to https://github.com/NativeScript/android/pull/1842 --- .github/workflows/npm_release.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/npm_release.yml b/.github/workflows/npm_release.yml index 01305770..0f76e81d 100644 --- a/.github/workflows/npm_release.yml +++ b/.github/workflows/npm_release.yml @@ -17,6 +17,10 @@ jobs: npm_version: ${{ steps.npm_version_output.outputs.NPM_VERSION }} npm_tag: ${{ steps.npm_version_output.outputs.NPM_TAG }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit - uses: maxim-lobanov/setup-xcode@v1 with: xcode-version: ${{env.XCODE_VERSION}} @@ -75,6 +79,10 @@ jobs: runs-on: macos-14 needs: build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit - uses: maxim-lobanov/setup-xcode@v1 with: xcode-version: ${{env.XCODE_VERSION}} @@ -138,6 +146,10 @@ jobs: NPM_VERSION: ${{needs.build.outputs.npm_version}} NPM_TAG: ${{needs.build.outputs.npm_tag}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit - uses: actions/setup-node@v3 with: node-version: 20 @@ -164,6 +176,10 @@ jobs: env: NPM_VERSION: ${{needs.build.outputs.npm_version}} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit - uses: actions/checkout@v3 with: fetch-depth: 0