Merge pull request #2 from step-security/stepsecurity_remediation_166…

…9766627 [StepSecurity] Apply security best practices
step-security · Nov 30, 2022 · 7829e58 · 7829e58
2 parents b5ae82b + c40ba51
commit 7829e58
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
@@ -25,13 +25,21 @@ on:
         description: 'Expected checksum of output binary file'
         required: true
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   rebuild:
     name: rebuild-${{ github.event.inputs.CORRELATION_ID }}
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
       with:
@@ -40,7 +48,7 @@ jobs:
 
 
     - name: Set up Go 
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
       with:
         go-version: ${{ github.event.inputs.GO_VERSION }}
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -24,6 +24,11 @@ jobs:
       actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
         with: