Merge pull request #275 from NetApp/chore/GHA-010356-stepsecurity-remediation

kcantrel · web-flow · commit 26ce4b58b587 · 2026-04-01T10:49:20.000-05:00
[StepSecurity] Apply security best practices
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -18,13 +18,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
         
       - name: Super-linter
-        uses: super-linter/super-linter@v5.7.2  # x-release-please-version
+        uses: super-linter/super-linter@a8150b40c89574adb5f68bf9502b890a236a06b3 # v5.7.2
         env:
           DEFAULT_BRANCH: main
           # To report GitHub Actions status checks, you must provide a GitHub token.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -27,10 +27,15 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: 'Checkout repository'
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
         with:
           comment-summary-in-pr: always
diff --git a/.github/workflows/terraform-docs.yml b/.github/workflows/terraform-docs.yml
@@ -23,13 +23,18 @@ jobs:
           - 'Infrastructure_as_Code/Terraform/deploy-fsx-ontap/module'
           - 'Infrastructure_as_Code/Terraform/deploy-fsx-ontap/standalone-module'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request  
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render documentation and push changes back to branch
-        uses: terraform-docs/gh-actions@v1.0.0
+        uses: step-security/terraform-docs-action@863375b3d57d153d9cb47f73abcc2d4d3d00c101 # v1.4.5
         with:
           working-dir: ${{ matrix.directory }}
           config-file: ".terraform-docs.yml"
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -28,14 +28,19 @@ jobs:
         working-directory: ${{ matrix.directory }}
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request
-        uses: actions/checkout@v3.5.0
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Set up Terraform
-        uses: hashicorp/setup-terraform@v1
+        uses: hashicorp/setup-terraform@ed3a0531877aca392eb870f440d9ae7aba83a6bd # v1.4.0
         with:
           terraform_wrapper: false
           terraform_version: 1.6.6
diff --git a/.github/workflows/update-CloudformationTemplate-FSxN-report.yml b/.github/workflows/update-CloudformationTemplate-FSxN-report.yml
@@ -23,8 +23,13 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -34,4 +39,4 @@ jobs:
         run: ./update_fsxn_report_CF_template
 
       - name: Commit the changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: step-security/git-auto-commit-action@905c3cd6e9ed2b67b4d46ff401fdb6d745d0ff9d # v7.1.0
diff --git a/.github/workflows/update-CloudformationTemplate-auto-add-cw-alarms.yml b/.github/workflows/update-CloudformationTemplate-auto-add-cw-alarms.yml
@@ -23,8 +23,13 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -34,4 +39,4 @@ jobs:
         run: ./update-auto-add-cw-alarms-CF-Template
 
       - name: Commit the changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: step-security/git-auto-commit-action@905c3cd6e9ed2b67b4d46ff401fdb6d745d0ff9d # v7.1.0
diff --git a/.github/workflows/update-CloudformationTemplate-auto-set-fsxn-auto-grow.yml b/.github/workflows/update-CloudformationTemplate-auto-set-fsxn-auto-grow.yml
@@ -23,8 +23,13 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -34,4 +39,4 @@ jobs:
         run: ./update_auto_set_fsxn_auto_grow_CF_Template
 
       - name: Commit the changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: step-security/git-auto-commit-action@905c3cd6e9ed2b67b4d46ff401fdb6d745d0ff9d # v7.1.0
diff --git a/.github/workflows/update-CloudformationTemplate.yml b/.github/workflows/update-CloudformationTemplate.yml
@@ -23,8 +23,13 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout pull request
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.pull_request.head.ref }}
 
@@ -34,4 +39,4 @@ jobs:
         run: ./updateMonOntapServiceCFTemplate
 
       - name: Commit the changes
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: step-security/git-auto-commit-action@905c3cd6e9ed2b67b4d46ff401fdb6d745d0ff9d # v7.1.0
