Skip to content

Commit b3915b7

Browse files
Pin GitHub Actions to commit SHAs and add use Harden Runner (#190)
1 parent d0f6c2c commit b3915b7

8 files changed

Lines changed: 91 additions & 9 deletions

File tree

.github/workflows/_build.yaml

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,18 @@ jobs:
2626
Build:
2727
runs-on: ${{ inputs.os }}
2828
steps:
29+
- name: Harden Runner
30+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
31+
with:
32+
disable-sudo: true
33+
egress-policy: block
34+
allowed-endpoints: >
35+
api.github.com
36+
files.pythonhosted.org:443
37+
github.com:443
38+
pypi.org:443
39+
release-assets.githubusercontent.com:443
40+
2941
- name: Checkout repository
3042
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3143
with:
@@ -72,7 +84,7 @@ jobs:
7284
run: python -m build
7385

7486
- name: Store the distribution packages
75-
uses: actions/upload-artifact@v7.0.1
87+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
7688
# upload artifacts with the oldest supported version
7789
if: runner.os == 'linux' && inputs.python-version == '3.9'
7890
with:

.github/workflows/_build_doc.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,13 @@ jobs:
2525
Build:
2626
runs-on: ${{ inputs.os }}
2727
steps:
28+
- name: Harden Runner
29+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
30+
with:
31+
egress-policy: audit
32+
# sudo is required by the "Install dependencies" step below (apt-get pandoc)
33+
disable-sudo: false
34+
2835
- name: Checkout repository
2936
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3037

.github/workflows/_codeql.yaml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,12 +38,18 @@ jobs:
3838
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
3939

4040
steps:
41+
- name: Harden Runner
42+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
43+
with:
44+
disable-sudo: true
45+
egress-policy: audit
46+
4147
- name: Checkout repository
4248
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
4349

4450
# Initializes the CodeQL tools for scanning.
4551
- name: Initialize CodeQL
46-
uses: github/codeql-action/init@v4.36.2
52+
uses: github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
4753
with:
4854
languages: python
4955
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +62,7 @@ jobs:
5662
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
5763
# If this step fails, then you should remove it and run the build manually (see below)
5864
- name: Autobuild
59-
uses: github/codeql-action/autobuild@v4.36.2
65+
uses: github/codeql-action/autobuild@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
6066

6167
# ℹ️ Command-line programs to run using the OS shell.
6268
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -69,6 +75,6 @@ jobs:
6975
# ./location_of_script_within_repo/buildscript.sh
7076

7177
- name: Perform CodeQL Analysis
72-
uses: github/codeql-action/analyze@v4.36.2
78+
uses: github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2
7379
with:
7480
category: "/language:python"

.github/workflows/_pre_commit.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,12 @@ jobs:
1818
Pre-Commit:
1919
runs-on: ubuntu-latest
2020
steps:
21+
- name: Harden Runner
22+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
23+
with:
24+
disable-sudo: true
25+
egress-policy: audit
26+
2127
- name: Checkout
2228
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2329
- uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.github/workflows/_test.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,12 @@ jobs:
3333
OS: ${{ inputs.os }}
3434
PYTHON: ${{ inputs.python-version }}
3535
steps:
36+
- name: Harden Runner
37+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
38+
with:
39+
disable-sudo: true
40+
egress-policy: audit
41+
3642
- name: Checkout repository
3743
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3844

.github/workflows/cicd.yaml

Lines changed: 37 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -103,14 +103,30 @@ jobs:
103103
name: testpypi
104104
url: https://test.pypi.org/p/python-cmethods
105105
steps:
106+
- name: Harden Runner
107+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
108+
with:
109+
disable-sudo: true
110+
egress-policy: block
111+
allowed-endpoints: >
112+
api.github.com:443
113+
fulcio.sigstore.dev
114+
ghcr.io
115+
github.com:443
116+
pkg-containers.githubusercontent.com:443
117+
rekor.sigstore.dev
118+
test.pypi.org
119+
tuf-repo-cdn.sigstore.dev
120+
uploads.github.com:443
121+
106122
- name: Download all the distributions
107-
uses: actions/download-artifact@v8
123+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
108124
with:
109125
name: python-package-distributions
110126
path: dist/
111127

112128
- name: Publish package distributions to Test PyPI
113-
uses: pypa/gh-action-pypi-publish@release/v1
129+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
114130
with:
115131
repository-url: https://test.pypi.org/legacy/
116132

@@ -138,13 +154,30 @@ jobs:
138154
name: pypi
139155
url: https://pypi.org/p/python-cmethods
140156
steps:
157+
- name: Harden Runner
158+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
159+
with:
160+
disable-sudo: true
161+
egress-policy: block
162+
allowed-endpoints: >
163+
api.github.com:443
164+
fulcio.sigstore.dev
165+
ghcr.io
166+
github.com:443
167+
pkg-containers.githubusercontent.com:443
168+
pypi.org
169+
rekor.sigstore.dev
170+
tuf-repo-cdn.sigstore.dev
171+
upload.pypi.org
172+
uploads.github.com:443
173+
141174
- name: Download all the distributions
142-
uses: actions/download-artifact@v8
175+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
143176
with:
144177
name: python-package-distributions
145178
path: dist/
146179

147180
- name: Publish package distributions to PyPI
148-
uses: pypa/gh-action-pypi-publish@release/v1
181+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
149182
with:
150183
repository-url: https://upload.pypi.org/legacy/

.github/workflows/dependabot_auto_approve.yaml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,9 +22,15 @@ jobs:
2222
runs-on: ubuntu-latest
2323
if: ${{ github.actor == 'dependabot[bot]' }}
2424
steps:
25+
- name: Harden Runner
26+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
27+
with:
28+
disable-sudo: true
29+
egress-policy: audit
30+
2531
- name: Dependabot metadata
2632
id: dependabot-metadata
27-
uses: dependabot/fetch-metadata@v3.1.0
33+
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
2834
with:
2935
github-token: "${{ secrets.GITHUB_TOKEN }}"
3036
- name: Approve a PR

.github/workflows/scorecard.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,12 @@ jobs:
3131
# actions: read
3232

3333
steps:
34+
- name: Harden Runner
35+
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
36+
with:
37+
disable-sudo: true
38+
egress-policy: audit
39+
3440
- name: "Checkout code"
3541
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3642
with:

0 commit comments

Comments
 (0)