From b3fb5fe782dacbfddc3992d7225eb83885d0bb89 Mon Sep 17 00:00:00 2001 From: Mihail Mihov Date: Thu, 31 Oct 2024 11:43:51 +0200 Subject: [PATCH] ci: Update per Q3 audit findings Signed-off-by: Mihail Mihov --- .github/workflows/flow-deploy-release-artifact.yaml | 10 ++++++++++ .github/workflows/flow-pull-request-formatting.yaml | 5 +++++ .github/workflows/zxc-code-analysis.yaml | 5 +++++ .github/workflows/zxc-compile-code.yaml | 5 +++++ .github/workflows/zxc-release-maven-central.yaml | 5 +++++ .github/workflows/zxf-snyk-monitor.yaml | 5 +++++ 6 files changed, 35 insertions(+) diff --git a/.github/workflows/flow-deploy-release-artifact.yaml b/.github/workflows/flow-deploy-release-artifact.yaml index f70f8f79..98a5ee0b 100644 --- a/.github/workflows/flow-deploy-release-artifact.yaml +++ b/.github/workflows/flow-deploy-release-artifact.yaml @@ -61,6 +61,11 @@ jobs: outputs: version: ${{ steps.tag.outputs.version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: @@ -122,6 +127,11 @@ jobs: needs: - publish-maven-central steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml index 77cb7252..693e305d 100644 --- a/.github/workflows/flow-pull-request-formatting.yaml +++ b/.github/workflows/flow-pull-request-formatting.yaml @@ -40,6 +40,11 @@ jobs: name: Title Check runs-on: solo-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Check PR Title uses: step-security/conventional-pr-title-action@19fb561b33015fd2184055a05ce5a3bcf2ba3f54 # v3.2.0 env: diff --git a/.github/workflows/zxc-code-analysis.yaml b/.github/workflows/zxc-code-analysis.yaml index 407c1d53..a344d2b9 100644 --- a/.github/workflows/zxc-code-analysis.yaml +++ b/.github/workflows/zxc-code-analysis.yaml @@ -102,6 +102,11 @@ jobs: name: ${{ inputs.custom-job-label || 'Analyze' }} runs-on: solo-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: diff --git a/.github/workflows/zxc-compile-code.yaml b/.github/workflows/zxc-compile-code.yaml index 68b3bcaa..8bbd4fbe 100644 --- a/.github/workflows/zxc-compile-code.yaml +++ b/.github/workflows/zxc-compile-code.yaml @@ -87,6 +87,11 @@ jobs: name: ${{ inputs.custom-job-label || 'Compiles' }} runs-on: solo-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: diff --git a/.github/workflows/zxc-release-maven-central.yaml b/.github/workflows/zxc-release-maven-central.yaml index 6b682a5f..4a4fb2a9 100644 --- a/.github/workflows/zxc-release-maven-central.yaml +++ b/.github/workflows/zxc-release-maven-central.yaml @@ -94,6 +94,11 @@ jobs: outputs: notes: ${{ steps.create-release-notes.outputs.RELEASE_NOTES }} steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: diff --git a/.github/workflows/zxf-snyk-monitor.yaml b/.github/workflows/zxf-snyk-monitor.yaml index 678cb8d5..16b81710 100644 --- a/.github/workflows/zxf-snyk-monitor.yaml +++ b/.github/workflows/zxf-snyk-monitor.yaml @@ -37,6 +37,11 @@ jobs: name: Snyk Monitor runs-on: solo-linux-medium steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1