Skip to content

Commit 97dcaf5

Browse files
step-security-botstep-security-bot
committed
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <[email protected]>
1 parent 6215b40 commit 97dcaf5

16 files changed

+213
-2
lines changed

.github/dependabot.yml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: docker
4+
directory: /.clusterfuzzlite
5+
schedule:
6+
interval: daily
7+
8+
- package-ecosystem: github-actions
9+
directory: /
10+
schedule:
11+
interval: daily
12+
13+
- package-ecosystem: npm
14+
directory: /pr-fetch
15+
schedule:
16+
interval: daily
17+
18+
- package-ecosystem: npm
19+
directory: /pr-push
20+
schedule:
21+
interval: daily
22+
23+
- package-ecosystem: npm
24+
directory: /setup-pandoc
25+
schedule:
26+
interval: daily
27+
28+
- package-ecosystem: npm
29+
directory: /setup-r
30+
schedule:
31+
interval: daily
32+
33+
- package-ecosystem: npm
34+
directory: /setup-tinytex
35+
schedule:
36+
interval: daily

.github/workflows/cflite_build.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,11 @@ jobs:
2020
sanitizer:
2121
- address
2222
steps:
23+
- name: Harden the runner (Audit all outbound calls)
24+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
25+
with:
26+
egress-policy: audit
27+
2328
- name: Build Fuzzers (${{ matrix.sanitizer }})
2429
id: build
2530
uses: google/clusterfuzzlite/actions/build_fuzzers@82652fb49e77bc29c35da1167bb286e93c6bcc05

.github/workflows/cflite_pr.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ jobs:
2323
sanitizer:
2424
- address
2525
steps:
26+
- name: Harden the runner (Audit all outbound calls)
27+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
28+
with:
29+
egress-policy: audit
30+
2631
- name: Build Fuzzers (${{ matrix.sanitizer }})
2732
id: build
2833
uses: google/clusterfuzzlite/actions/build_fuzzers@82652fb49e77bc29c35da1167bb286e93c6bcc05

.github/workflows/check-full.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,11 @@ jobs:
4141
R_KEEP_PKG_SOURCE: yes
4242

4343
steps:
44+
- name: Harden the runner (Audit all outbound calls)
45+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
46+
with:
47+
egress-policy: audit
48+
4449
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
4550

4651
- uses: ./setup-pandoc
@@ -51,7 +56,7 @@ jobs:
5156
http-user-agent: ${{ matrix.config.http-user-agent }}
5257
use-public-rspm: true
5358

54-
- uses: gaborcsardi/quarto-actions/setup@fix/linux-arm64
59+
- uses: gaborcsardi/quarto-actions/setup@c8ce6c762ce2020772c2afc5b993591f1727022d # fix/linux-arm64
5560

5661
- uses: ./setup-r-dependencies
5762
with:

.github/workflows/check-release.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,11 @@ jobs:
1414
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
1515
R_KEEP_PKG_SOURCE: yes
1616
steps:
17+
- name: Harden the runner (Audit all outbound calls)
18+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
19+
with:
20+
egress-policy: audit
21+
1722
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
1823

1924
- uses: ./setup-r

.github/workflows/check-standard.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,11 @@ jobs:
2828
R_KEEP_PKG_SOURCE: yes
2929

3030
steps:
31+
- name: Harden the runner (Audit all outbound calls)
32+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
33+
with:
34+
egress-policy: audit
35+
3136
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
3237

3338
- uses: ./setup-pandoc

.github/workflows/codeql.yml

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
# For most projects, this workflow file will not need changing; you simply need
2+
# to commit it to your repository.
3+
#
4+
# You may wish to alter this file to override the set of languages analyzed,
5+
# or to provide custom queries or build logic.
6+
#
7+
# ******** NOTE ********
8+
# We have attempted to detect the languages in your repository. Please check
9+
# the `language` matrix defined below to confirm you have the correct set of
10+
# supported CodeQL languages.
11+
#
12+
name: "CodeQL"
13+
14+
on:
15+
push:
16+
branches: ["main"]
17+
pull_request:
18+
# The branches below must be a subset of the branches above
19+
branches: ["main"]
20+
schedule:
21+
- cron: "0 0 * * 1"
22+
23+
permissions:
24+
contents: read
25+
26+
jobs:
27+
analyze:
28+
name: Analyze
29+
runs-on: ubuntu-latest
30+
permissions:
31+
actions: read
32+
contents: read
33+
security-events: write
34+
35+
strategy:
36+
fail-fast: false
37+
matrix:
38+
language: ["typescript"]
39+
# CodeQL supports [ $supported-codeql-languages ]
40+
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
41+
42+
steps:
43+
- name: Harden the runner (Audit all outbound calls)
44+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
45+
with:
46+
egress-policy: audit
47+
48+
- name: Checkout repository
49+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
50+
51+
# Initializes the CodeQL tools for scanning.
52+
- name: Initialize CodeQL
53+
uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
54+
with:
55+
languages: ${{ matrix.language }}
56+
# If you wish to specify custom queries, you can do so here or in a config file.
57+
# By default, queries listed here will override any specified in a config file.
58+
# Prefix the list here with "+" to use these queries and those in the config file.
59+
60+
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
61+
# If this step fails, then you should remove it and run the build manually (see below)
62+
- name: Autobuild
63+
uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
64+
65+
# ℹ️ Command-line programs to run using the OS shell.
66+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
67+
68+
# If the Autobuild fails above, remove it and uncomment the following three lines.
69+
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
70+
71+
# - run: |
72+
# echo "Run, Build Application using script"
73+
# ./location_of_script_within_repo/buildscript.sh
74+
75+
- name: Perform CodeQL Analysis
76+
uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
77+
with:
78+
category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Dependency Review Action
2+
#
3+
# This Action will scan dependency manifest files that change as part of a Pull Request,
4+
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+
# Once installed, if the workflow run is marked as required,
6+
# PRs introducing known-vulnerable packages will be blocked from merging.
7+
#
8+
# Source repository: https://github.com/actions/dependency-review-action
9+
name: 'Dependency Review'
10+
on: [pull_request]
11+
12+
permissions:
13+
contents: read
14+
15+
jobs:
16+
dependency-review:
17+
runs-on: ubuntu-latest
18+
steps:
19+
- name: Harden the runner (Audit all outbound calls)
20+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
21+
with:
22+
egress-policy: audit
23+
24+
- name: 'Checkout Repository'
25+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
26+
- name: 'Dependency Review'
27+
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1

.github/workflows/lint.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ jobs:
1313
env:
1414
GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
1515
steps:
16+
- name: Harden the runner (Audit all outbound calls)
17+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
18+
with:
19+
egress-policy: audit
20+
1621
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
1722

1823
- uses: ./setup-r

.github/workflows/r-devel-test.yaml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,14 @@ jobs:
3434
R_KEEP_PKG_SOURCE: yes
3535

3636
steps:
37+
- name: Harden the runner (Audit all outbound calls)
38+
uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
39+
with:
40+
egress-policy: audit
41+
3742
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
3843

39-
- uses: r-hub/actions/debug-shell@v1
44+
- uses: r-hub/actions/debug-shell@e9663823ac5d540b7b2d93436945048a8f6fc4c1 # v1.6.6
4045

4146
- uses: ./setup-pandoc
4247

0 commit comments

Comments
 (0)