Harden GitHub Actions workflows (#61)

mraible · web-flow · commit 34b1a456ae1f · 2025-10-21T16:05:30.000-06:00
- Pin actions to full commit SHAs for supply chain security
- Add step-security/harden-runner for runtime security monitoring
- Set minimum GITHUB_TOKEN permissions
- Apply security best practices per StepSecurity recommendations
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -18,9 +18,14 @@ jobs:
     name: Test ${{ matrix.function }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a20  # v6
         with:
           python-version: '3.13'
           cache: 'pip'
@@ -58,9 +63,14 @@ jobs:
     name: Build UI
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v6
         with:
           node-version: 22
           cache: 'npm'
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
@@ -17,9 +17,14 @@ jobs:
     env:
       PYTHON_VERSION: '3.13'
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a20  # v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install global dependencies
diff --git a/.github/workflows/rebuild.yml b/.github/workflows/rebuild.yml
@@ -16,9 +16,14 @@ jobs:
     if: github.repository == 'CrowdStrike/foundry-sample-functions-python'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v5
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af  # v6
         with:
           node-version: 22
       - name: Install dependencies
@@ -32,7 +37,7 @@ jobs:
           git add .
           git commit -a -m "Rebuild UI with latest dependencies" || true
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f  # v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: 'Rebuild with latest dependencies'
