Merge pull request #16 from bytemare/dbz/update-scorecard

Update Scorecards and add harden-runner

.github/workflows/ci.yml

@@ -12,6 +12,16 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
+
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -37,6 +47,16 @@ jobs:
       matrix:
         go: [ '1.22', '1.21' ]
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -54,6 +74,21 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.codecov.io:443
+            api.github.com:443
+            cli.codecov.io:443
+            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            scanner.sonarcloud.io:443
+            sonarcloud.io:443
+            storage.googleapis.com:443
+
       - name: Checkout repo
         uses: actions/checkout@v4
         with:

.github/workflows/codeql.yml

@@ -23,6 +23,18 @@ jobs:
       fail-fast: false
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
+      
+
       - name: Checkout repository
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@main
 

.github/workflows/scorecards.yml

@@ -1,26 +1,38 @@
-name: Scorecards supply-chain security
+name: Scorecard analysis workflow
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
-  schedule:
-    - cron: '44 9 * * 0'
   push:
+    # Only the default branch is supported.
+    branches:
+      - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron: '30 1 * * 6'
+  pull_request:
+    # All branches are supported.
     branches: [ main ]
 
-# Declare default permissions as read only.
 permissions: read-all
 
 jobs:
   analysis:
-    name: Scorecards analysis
+    name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed for Code scanning upload
       security-events: write
-      actions: read
-      contents: read
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            github.com:443
+
       - name: "Checkout code"
         uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # pin@main
         with: