Skip to content

Commit fa95530

Browse files
committed
update workflows to use specific action versions and adding harden-runner steps to improve security
1 parent ace2bf0 commit fa95530

4 files changed

Lines changed: 74 additions & 53 deletions

File tree

.github/workflows/build.yml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,12 @@ jobs:
1414
runs-on: windows-latest
1515

1616
steps:
17+
- uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
18+
with:
19+
egress-policy: audit
20+
1721
- name: Checkout code
18-
uses: actions/checkout@v3
22+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1923

2024
- name: Remove .npmrc - uses standard registry for internal build check - non-release version
2125
run: |
@@ -25,7 +29,7 @@ jobs:
2529
shell: pwsh
2630

2731
- name: Set up Node.js
28-
uses: actions/setup-node@v3
32+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
2933
with:
3034
node-version: 20
3135

@@ -55,11 +59,15 @@ jobs:
5559
runs-on: windows-latest
5660

5761
steps:
62+
- uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
63+
with:
64+
egress-policy: audit
65+
5866
- name: Checkout code
59-
uses: actions/checkout@v3
67+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6068

6169
- name: Set up Node.js
62-
uses: actions/setup-node@v3
70+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
6371
with:
6472
node-version: 20
6573

.github/workflows/codeql.yml

Lines changed: 49 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@ name: "CodeQL Advanced"
22

33
on:
44
push:
5-
branches: [ "main" ]
5+
branches: ["main"]
66
pull_request:
7-
branches: [ "main" ]
7+
branches: ["main"]
88
schedule:
9-
- cron: '42 15 * * 6'
9+
- cron: "42 15 * * 6"
1010

1111
jobs:
1212
analyze:
@@ -16,7 +16,7 @@ jobs:
1616
# - https://gh.io/supported-runners-and-hardware-resources
1717
# - https://gh.io/using-larger-runners (GitHub.com only)
1818
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
19-
    runs-on: windows-latest
19+
runs-on: windows-latest
2020
permissions:
2121
# required for all workflows
2222
security-events: write
@@ -32,54 +32,58 @@ jobs:
3232
fail-fast: false
3333
matrix:
3434
include:
35-
- language: actions
36-
build-mode: none
37-
- language: javascript-typescript
38-
build-mode: none
35+
- language: actions
36+
build-mode: none
37+
- language: javascript-typescript
38+
build-mode: none
3939
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
4040
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
4141
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
4242
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
4343
steps:
44-
- name: Checkout repository
45-
uses: actions/checkout@v4
44+
- uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
45+
with:
46+
egress-policy: audit
4647

47-
# Add any setup steps before running the `github/codeql-action/init` action.
48-
# This includes steps like installing compilers or runtimes (`actions/setup-node`
49-
# or others). This is typically only required for manual builds.
50-
# - name: Setup runtime (example)
51-
# uses: actions/setup-example@v1
48+
- name: Checkout repository
49+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5250

53-
# Initializes the CodeQL tools for scanning.
54-
- name: Initialize CodeQL
55-
uses: github/codeql-action/init@v3
56-
with:
57-
languages: ${{ matrix.language }}
58-
build-mode: ${{ matrix.build-mode }}
59-
# If you wish to specify custom queries, you can do so here or in a config file.
60-
# By default, queries listed here will override any specified in a config file.
61-
# Prefix the list here with "+" to use these queries and those in the config file.
51+
# Add any setup steps before running the `github/codeql-action/init` action.
52+
# This includes steps like installing compilers or runtimes (`actions/setup-node`
53+
# or others). This is typically only required for manual builds.
54+
# - name: Setup runtime (example)
55+
# uses: actions/setup-example@v1
6256

63-
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
64-
# queries: security-extended,security-and-quality
57+
# Initializes the CodeQL tools for scanning.
58+
- name: Initialize CodeQL
59+
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
60+
with:
61+
languages: ${{ matrix.language }}
62+
build-mode: ${{ matrix.build-mode }}
63+
# If you wish to specify custom queries, you can do so here or in a config file.
64+
# By default, queries listed here will override any specified in a config file.
65+
# Prefix the list here with "+" to use these queries and those in the config file.
6566

66-
# If the analyze step fails for one of the languages you are analyzing with
67-
# "We were unable to automatically build your code", modify the matrix above
68-
# to set the build mode to "manual" for that language. Then modify this step
69-
# to build your code.
70-
# ℹ️ Command-line programs to run using the OS shell.
71-
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
72-
- if: matrix.build-mode == 'manual'
73-
shell: bash
74-
run: |
75-
echo 'If you are using a "manual" build mode for one or more of the' \
76-
'languages you are analyzing, replace this with the commands to build' \
77-
'your code, for example:'
78-
echo ' make bootstrap'
79-
echo ' make release'
80-
exit 1
67+
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
68+
# queries: security-extended,security-and-quality
8169

82-
- name: Perform CodeQL Analysis
83-
uses: github/codeql-action/analyze@v3
84-
with:
85-
category: "/language:${{matrix.language}}"
70+
# If the analyze step fails for one of the languages you are analyzing with
71+
# "We were unable to automatically build your code", modify the matrix above
72+
# to set the build mode to "manual" for that language. Then modify this step
73+
# to build your code.
74+
# ℹ️ Command-line programs to run using the OS shell.
75+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
76+
- if: matrix.build-mode == 'manual'
77+
shell: bash
78+
run: |
79+
echo 'If you are using a "manual" build mode for one or more of the' \
80+
'languages you are analyzing, replace this with the commands to build' \
81+
'your code, for example:'
82+
echo ' make bootstrap'
83+
echo ' make release'
84+
exit 1
85+
86+
- name: Perform CodeQL Analysis
87+
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
88+
with:
89+
category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,15 @@ jobs:
2727
dependency-review:
2828
runs-on: windows-latest
2929
steps:
30+
- uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
31+
with:
32+
egress-policy: audit
33+
3034
- name: 'Checkout repository'
31-
uses: actions/checkout@v4
35+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
36+
3237
- name: 'Dependency Review'
33-
uses: actions/dependency-review-action@v4
38+
uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
3439
# Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
3540
with:
3641
comment-summary-in-pr: always

.github/workflows/version-update.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,10 @@ jobs:
1515
if: contains(github.event.pull_request.labels.*.name, 'minor') || contains(github.event.pull_request.labels.*.name, 'patch')
1616

1717
steps:
18+
- uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
19+
with:
20+
egress-policy: audit
21+
1822
- name: Determine version type
1923
id: version_type
2024
run: |
@@ -28,10 +32,10 @@ jobs:
2832
shell: pwsh
2933

3034
- name: Checkout code
31-
uses: actions/checkout@v3
35+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3236

3337
- name: Set up Node.js
34-
uses: actions/setup-node@v3
38+
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
3539
with:
3640
node-version: 20
3741

0 commit comments

Comments
 (0)