From 9917f63cbde0da691189f4274da85923e31c7634 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 24 Jul 2025 08:46:26 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/check-semver.yml | 7 ++++++- .github/workflows/lint.yml | 8 ++++++++ .github/workflows/publish_to_pypi.yml | 8 ++++++++ .github/workflows/release-on-push.yml | 5 +++++ .github/workflows/testing.yml | 8 ++++++++ 5 files changed, 35 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check-semver.yml b/.github/workflows/check-semver.yml index 0b3f71c2..1e28a053 100644 --- a/.github/workflows/check-semver.yml +++ b/.github/workflows/check-semver.yml @@ -14,7 +14,12 @@ jobs: name: Check labels runs-on: ubuntu-latest steps: - - uses: docker://agilepathway/pull-request-label-checker:v1.6.13 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + + - uses: docker://agilepathway/pull-request-label-checker:v1.6.13@sha256:4a0bc4b4536934325ab21ea47af7a928b5c18a09b42c40275910945514a9b805 with: one_of: norelease,release:major,release:minor,release:patch repo_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5e184cff..71ae4a3c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest @@ -16,6 +19,11 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml index 168a06b0..96775b96 100644 --- a/.github/workflows/publish_to_pypi.yml +++ b/.github/workflows/publish_to_pypi.yml @@ -7,6 +7,9 @@ on: types: - completed +permissions: + contents: read + jobs: deploy: runs-on: ubuntu-latest @@ -17,6 +20,11 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/release-on-push.yml b/.github/workflows/release-on-push.yml index 18a47032..6248b95f 100644 --- a/.github/workflows/release-on-push.yml +++ b/.github/workflows/release-on-push.yml @@ -11,6 +11,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - uses: rymndhng/release-on-push-action@aebba2bbce07a9474bf95e8710e5ee8a9e922fe2 # v0.28.0 with: bump_version_scheme: norelease diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index b6fc6668..cf3ac168 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -10,6 +10,9 @@ on: branches: - main +permissions: + contents: read + jobs: test: name: "Package stability ${{ matrix.stability }}" @@ -23,6 +26,11 @@ jobs: python-version: [ '3.11', '3.12', '3.13' ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4