[StepSecurity] Apply security best practices #68
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This GitHub Actions workflow is named "ActionLint". | |
| # It is triggered on push events and manually via the workflow_dispatch event. | |
| # | |
| # Permissions: | |
| # - Read access to repository contents. | |
| # - Write access to pull requests. | |
| # | |
| # Jobs: | |
| # - job-1: | |
| # - Runs on the latest Ubuntu runner. | |
| # - Steps: | |
| # - Harden Runner: Uses the step-security/harden-runner action to audit egress policy. | |
| # - Checkout: Uses the actions/checkout action to check out the repository. | |
| # - ActionLint: Uses the devops-actions/actionlint action to lint the workflow files. | |
| # - Continues on error and sets the ID to action-lint. | |
| name: ActionLint | |
| concurrency: | |
| group: actionlint-${{ github.ref }} | |
| cancel-in-progress: false | |
| on: | |
| push: | |
| paths: | |
| - ".github/**" | |
| pull_request: | |
| paths: | |
| - ".github/**" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| job-1: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: devops-actions/actionlint@469810fd82c015d3c43815cd2b0e4d02eecc4819 #v0.1.11 | |
| continue-on-error: true | |
| id: action-lint |