Skip to content

Commit 0f17137

Browse files
Pin GitHub Actions to commit SHAs and add Harden Runner in audit mode
1 parent d0f6c2c commit 0f17137

8 files changed

Lines changed: 64 additions & 9 deletions

File tree

.github/workflows/_build.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,12 @@ jobs:
2626
Build:
2727
runs-on: ${{ inputs.os }}
2828
steps:
29+
- name: Harden Runner
30+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
31+
with:
32+
disable-sudo: true
33+
egress-policy: audit
34+
2935
- name: Checkout repository
3036
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3137
with:
@@ -72,7 +78,7 @@ jobs:
7278
run: python -m build
7379

7480
- name: Store the distribution packages
75-
uses: actions/upload-artifact@v7.0.1
81+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
7682
# upload artifacts with the oldest supported version
7783
if: runner.os == 'linux' && inputs.python-version == '3.9'
7884
with:

.github/workflows/_build_doc.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@ jobs:
2525
Build:
2626
runs-on: ${{ inputs.os }}
2727
steps:
28+
- name: Harden Runner
29+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
30+
with:
31+
egress-policy: audit
32+
# sudo is required by the "Install dependencies" step below (apt-get pandoc)
33+
disable-sudo: false
34+
2835
- name: Checkout repository
2936
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3037

.github/workflows/_codeql.yaml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,12 +38,18 @@ jobs:
3838
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
3939

4040
steps:
41+
- name: Harden Runner
42+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
43+
with:
44+
disable-sudo: true
45+
egress-policy: audit
46+
4147
- name: Checkout repository
4248
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4349

4450
# Initializes the CodeQL tools for scanning.
4551
- name: Initialize CodeQL
46-
uses: github/codeql-action/init@v4.36.2
52+
uses: github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
4753
with:
4854
languages: python
4955
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +62,7 @@ jobs:
5662
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
5763
# If this step fails, then you should remove it and run the build manually (see below)
5864
- name: Autobuild
59-
uses: github/codeql-action/autobuild@v4.36.2
65+
uses: github/codeql-action/autobuild@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
6066

6167
# ℹ️ Command-line programs to run using the OS shell.
6268
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,6 +75,6 @@ jobs:
6975
# ./location_of_script_within_repo/buildscript.sh
7076

7177
- name: Perform CodeQL Analysis
72-
uses: github/codeql-action/analyze@v4.36.2
78+
uses: github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
7379
with:
7480
category: "/language:python"

.github/workflows/_pre_commit.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ jobs:
1818
Pre-Commit:
1919
runs-on: ubuntu-latest
2020
steps:
21+
- name: Harden Runner
22+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
23+
with:
24+
disable-sudo: true
25+
egress-policy: audit
26+
2127
- name: Checkout
2228
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2329
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/_test.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@ jobs:
3333
OS: ${{ inputs.os }}
3434
PYTHON: ${{ inputs.python-version }}
3535
steps:
36+
- name: Harden Runner
37+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
38+
with:
39+
disable-sudo: true
40+
egress-policy: audit
41+
3642
- name: Checkout repository
3743
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3844

.github/workflows/cicd.yaml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -103,14 +103,20 @@ jobs:
103103
name: testpypi
104104
url: https://test.pypi.org/p/python-cmethods
105105
steps:
106+
- name: Harden Runner
107+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
108+
with:
109+
disable-sudo: true
110+
egress-policy: audit
111+
106112
- name: Download all the distributions
107-
uses: actions/download-artifact@v8
113+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
108114
with:
109115
name: python-package-distributions
110116
path: dist/
111117

112118
- name: Publish package distributions to Test PyPI
113-
uses: pypa/gh-action-pypi-publish@release/v1
119+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
114120
with:
115121
repository-url: https://test.pypi.org/legacy/
116122

@@ -138,13 +144,19 @@ jobs:
138144
name: pypi
139145
url: https://pypi.org/p/python-cmethods
140146
steps:
147+
- name: Harden Runner
148+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
149+
with:
150+
disable-sudo: true
151+
egress-policy: audit
152+
141153
- name: Download all the distributions
142-
uses: actions/download-artifact@v8
154+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
143155
with:
144156
name: python-package-distributions
145157
path: dist/
146158

147159
- name: Publish package distributions to PyPI
148-
uses: pypa/gh-action-pypi-publish@release/v1
160+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
149161
with:
150162
repository-url: https://upload.pypi.org/legacy/

.github/workflows/dependabot_auto_approve.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,15 @@ jobs:
2222
runs-on: ubuntu-latest
2323
if: ${{ github.actor == 'dependabot[bot]' }}
2424
steps:
25+
- name: Harden Runner
26+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
27+
with:
28+
disable-sudo: true
29+
egress-policy: audit
30+
2531
- name: Dependabot metadata
2632
id: dependabot-metadata
27-
uses: dependabot/fetch-metadata@v3.1.0
33+
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
2834
with:
2935
github-token: "${{ secrets.GITHUB_TOKEN }}"
3036
- name: Approve a PR

.github/workflows/scorecard.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ jobs:
3131
# actions: read
3232

3333
steps:
34+
- name: Harden Runner
35+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
36+
with:
37+
disable-sudo: true
38+
egress-policy: audit
39+
3440
- name: "Checkout code"
3541
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3642
with:

0 commit comments

Comments
 (0)