From 6e754ab5bbd1afc919246f0bd6d34dd3370185e4 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 5 Nov 2024 09:59:00 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/dependabot-automerge.yml | 3 +++ .github/workflows/sonarcloud.yml | 15 +++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index fa64f1797..ef8f1efce 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -3,6 +3,9 @@ on: merge_group: pull_request: +permissions: + contents: read + jobs: dependabot: runs-on: ubuntu-latest diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index e5464f7b1..7cc7a5540 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -7,17 +7,28 @@ on: pull_request: types: [opened, synchronize, reopened] +permissions: + contents: read + jobs: sonarcloud: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for SonarSource/sonarcloud-github-action to determine which PR to decorate name: SonarCloud runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@master + uses: SonarSource/sonarcloud-github-action@9f9bba2c7aaf7a55eac26abbac906c3021d211b2 # master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}