From 4f3e8f67e160bbb69ec262d6c80b94ac108ec095 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 8 Dec 2022 18:40:58 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/cibuild.yml | 11 ++++++++--- .github/workflows/codeql-analysis.yml | 13 +++++++++---- .github/workflows/stale.yml | 7 ++++++- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml index b7821828..34024154 100644 --- a/.github/workflows/cibuild.yml +++ b/.github/workflows/cibuild.yml @@ -64,10 +64,15 @@ jobs: name: JDK${{ matrix.java }} ${{ matrix.os }} ${{ matrix.mavenopts }} runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Git Checkout - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Set up Java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -78,7 +83,7 @@ jobs: ./.github/scripts/build.sh ${{ matrix.mavenopts }} - name: Configure settings.xml for Publish if: ${{ matrix.canonical }} - uses: actions/setup-java@v3 + uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8c3e1921..70b46709 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -53,15 +53,20 @@ jobs: name: CodeQL JDK${{ matrix.java }} ${{ matrix.os }} runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Set up Java ${{ matrix.java }} - uses: actions/setup-java@v3 + uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c # v3.8.0 with: distribution: 'temurin' java-version: ${{ matrix.java }} - name: Initialize CodeQL Analysis - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: languages: 'java' - name: Build for CodeQL Analysis @@ -69,4 +74,4 @@ jobs: run: | ./.github/scripts/codeql-build.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0b26516a..1437d66d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -31,8 +31,13 @@ jobs: name: Stale runs-on: 'ubuntu-latest' steps: + - name: Harden Runner + uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Stale Action - uses: actions/stale@v6 + uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578 # v6.0.1 with: days-before-stale: 365 days-before-close: 21