From 52e249476eb47af45b37be289267e9dcba7b4071 Mon Sep 17 00:00:00 2001 From: Chris Nesbitt-Smith Date: Wed, 22 May 2024 15:03:56 +0100 Subject: [PATCH] harden ci pipeline --- .github/workflows/ci.yaml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 620a040..e0b5332 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -17,6 +17,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -46,20 +51,25 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: site.tar - name: Untar files run: tar -xvf site.tar - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: ./_site - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 semver: name: Generate a semantic version number @@ -67,6 +77,11 @@ jobs: outputs: semantic_version: ${{ steps.semver.outputs.semantic_version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - name: Checkout repo uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4 with: