Merge pull request #377 from step-security-bot/stepsecurity_remediati…

…on_1670524855 [StepSecurity] ci: Harden GitHub Actions
eclipse-transformer · Dec 8, 2022 · 2ad339d · 2ad339d
2 parents 7300cba + 4f3e8f6
commit 2ad339d
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml
@@ -64,10 +64,15 @@ jobs:
     name: JDK${{ matrix.java }} ${{ matrix.os }} ${{ matrix.mavenopts }}
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Git Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
     - name: Set up Java ${{ matrix.java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.java }}
@@ -78,7 +83,7 @@ jobs:
         ./.github/scripts/build.sh ${{ matrix.mavenopts }}
     - name: Configure settings.xml for Publish
       if: ${{ matrix.canonical }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.java }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -53,20 +53,25 @@ jobs:
     name: CodeQL JDK${{ matrix.java }} ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
     - name: Set up Java ${{ matrix.java }}
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0
       with:
         distribution: 'temurin'
         java-version: ${{ matrix.java }}
     - name: Initialize CodeQL Analysis
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
       with:
         languages: 'java'
     - name: Build for CodeQL Analysis
       id: build
       run: |
         ./.github/scripts/codeql-build.sh
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -31,8 +31,13 @@ jobs:
     name: Stale
     runs-on: 'ubuntu-latest'
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Stale Action
-      uses: actions/stale@v6
+      uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578 # v6.0.1
       with:
         days-before-stale: 365
         days-before-close: 21