Skip to content

Commit 10f917a

Browse files
step-security-botstep-security-bot
committed
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
1 parent 39ae48d commit 10f917a

22 files changed

Lines changed: 172 additions & 46 deletions

.github/workflows/ancient.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -60,11 +60,16 @@ jobs:
6060
bundler: "2.3.27"
6161

6262
steps:
63+
- name: Harden the runner (Audit all outbound calls)
64+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
65+
with:
66+
egress-policy: audit
67+
6368
- name: Checkout
64-
uses: actions/checkout@v6
69+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6570

6671
- name: Setup Ruby & RubyGems
67-
uses: ruby/setup-ruby@v1.308.0
72+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
6873
with:
6974
ruby-version: ${{ matrix.ruby }}
7075
rubygems: ${{ matrix.rubygems }}

.github/workflows/auto-assign.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,23 @@ on:
44
types: [opened]
55
pull_request:
66
types: [opened]
7+
permissions:
8+
contents: read
9+
710
jobs:
811
run:
912
runs-on: ubuntu-latest
1013
permissions:
1114
issues: write
1215
pull-requests: write
1316
steps:
17+
- name: Harden the runner (Audit all outbound calls)
18+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
19+
with:
20+
egress-policy: audit
21+
1422
- name: 'Auto-assign issue'
15-
uses: pozil/auto-assign-issue@v3
23+
uses: pozil/auto-assign-issue@dda699c5656ae92f208b052fc91193a8423fffa6 # v3
1624
with:
1725
repo-token: ${{ secrets.GITHUB_TOKEN }}
1826
assignees: pboling

.github/workflows/caboose.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,11 +84,16 @@ jobs:
8484
bundler: "2.3.27"
8585

8686
steps:
87+
- name: Harden the runner (Audit all outbound calls)
88+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
89+
with:
90+
egress-policy: audit
91+
8792
- name: Checkout
88-
uses: actions/checkout@v6
93+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8994

9095
- name: Setup Ruby & RubyGems
91-
uses: ruby/setup-ruby@v1.308.0
96+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
9297
with:
9398
ruby-version: ${{ matrix.ruby }}
9499
rubygems: ${{ matrix.rubygems }}

.github/workflows/codeql-analysis.yml

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ on:
2020
schedule:
2121
- cron: '35 1 * * 5'
2222

23+
permissions:
24+
contents: read
25+
2326
jobs:
2427
analyze:
2528
name: Analyze
@@ -37,12 +40,17 @@ jobs:
3740
# Learn more about CodeQL language support at https://git.io/codeql-language-support
3841

3942
steps:
43+
- name: Harden the runner (Audit all outbound calls)
44+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
45+
with:
46+
egress-policy: audit
47+
4048
- name: Checkout repository
41-
uses: actions/checkout@v6
49+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4250

4351
# Initializes the CodeQL tools for scanning.
4452
- name: Initialize CodeQL
45-
uses: github/codeql-action/init@v4
53+
uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
4654
with:
4755
languages: ${{ matrix.language }}
4856
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +61,7 @@ jobs:
5361
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
5462
# If this step fails, then you should remove it and run the build manually (see below)
5563
- name: Autobuild
56-
uses: github/codeql-action/autobuild@v4
64+
uses: github/codeql-action/autobuild@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
5765

5866
# ℹ️ Command-line programs to run using the OS shell.
5967
# 📚 https://git.io/JvXDl
@@ -67,4 +75,4 @@ jobs:
6775
# make release
6876

6977
- name: Perform CodeQL Analysis
70-
uses: github/codeql-action/analyze@v4
78+
uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5

.github/workflows/coverage.yml

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -54,11 +54,16 @@ jobs:
5454
bundler: latest
5555

5656
steps:
57+
- name: Harden the runner (Audit all outbound calls)
58+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
59+
with:
60+
egress-policy: audit
61+
5762
- name: Checkout
58-
uses: actions/checkout@v6
63+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5964

6065
- name: Setup Ruby & RubyGems
61-
uses: ruby/setup-ruby@v1.308.0
66+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
6267
with:
6368
ruby-version: "${{ matrix.ruby }}"
6469
rubygems: "${{ matrix.rubygems }}"
@@ -78,14 +83,14 @@ jobs:
7883
# Do SaaS coverage uploads first
7984
- name: Upload coverage to Coveralls
8085
if: ${{ !env.ACT }}
81-
uses: coverallsapp/github-action@master
86+
uses: coverallsapp/github-action@09b709cf6a16e30b0808ba050c7a6e8a5ef13f8d # master
8287
with:
8388
github-token: ${{ secrets.GITHUB_TOKEN }}
8489
continue-on-error: ${{ matrix.experimental != 'false' }}
8590

8691
- name: Upload coverage to QLTY
8792
if: ${{ !env.ACT }}
88-
uses: qltysh/qlty-action/coverage@main
93+
uses: qltysh/qlty-action/coverage@141b881236146435192435eb7b0e06ea0b70b4d9 # main
8994
with:
9095
token: ${{secrets.QLTY_COVERAGE_TOKEN}}
9196
files: coverage/.resultset.json
@@ -95,7 +100,7 @@ jobs:
95100
# which will hopefully be noticed for the lack of code coverage comments
96101
- name: Upload coverage to CodeCov
97102
if: ${{ !env.ACT }}
98-
uses: codecov/codecov-action@v6
103+
uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
99104
with:
100105
use_oidc: true
101106
fail_ci_if_error: false # optional (default = false)
@@ -105,7 +110,7 @@ jobs:
105110
# Then PR comments
106111
- name: Code Coverage Summary Report
107112
if: ${{ !env.ACT && github.event_name == 'pull_request' }}
108-
uses: irongut/CodeCoverageSummary@v1.3.0
113+
uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0
109114
with:
110115
filename: ./coverage/coverage.xml
111116
badge: true
@@ -119,7 +124,7 @@ jobs:
119124
continue-on-error: ${{ matrix.experimental != 'false' }}
120125

121126
- name: Add Coverage PR Comment
122-
uses: marocchino/sticky-pull-request-comment@v3
127+
uses: marocchino/sticky-pull-request-comment@d4d6b0936434b21bc8345ad45a440c5f7d2c40ff # v3.0.3
123128
if: ${{ !env.ACT && github.event_name == 'pull_request' }}
124129
with:
125130
recreate: true

.github/workflows/current.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,13 +62,18 @@ jobs:
6262
bundler: default
6363

6464
steps:
65+
- name: Harden the runner (Audit all outbound calls)
66+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
67+
with:
68+
egress-policy: audit
69+
6570
- name: Checkout
6671
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
67-
uses: actions/checkout@v6
72+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6873

6974
- name: Setup Ruby & RubyGems
7075
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
71-
uses: ruby/setup-ruby@v1.308.0
76+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
7277
with:
7378
ruby-version: ${{ matrix.ruby }}
7479
rubygems: ${{ matrix.rubygems }}

.github/workflows/dep-heads.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,13 +64,18 @@ jobs:
6464
bundler: default
6565

6666
steps:
67+
- name: Harden the runner (Audit all outbound calls)
68+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
69+
with:
70+
egress-policy: audit
71+
6772
- name: Checkout
6873
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
69-
uses: actions/checkout@v6
74+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7075

7176
- name: Setup Ruby & RubyGems
7277
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
73-
uses: ruby/setup-ruby@v1.308.0
78+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
7479
with:
7580
ruby-version: ${{ matrix.ruby }}
7681
rubygems: ${{ matrix.rubygems }}

.github/workflows/dependency-review.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,12 @@ jobs:
1414
dependency-review:
1515
runs-on: ubuntu-latest
1616
steps:
17+
- name: Harden the runner (Audit all outbound calls)
18+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
19+
with:
20+
egress-policy: audit
21+
1722
- name: 'Checkout Repository'
18-
uses: actions/checkout@v6
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1924
- name: 'Dependency Review'
20-
uses: actions/dependency-review-action@v5
25+
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0

.github/workflows/heads.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,13 +63,18 @@ jobs:
6363
bundler: default
6464

6565
steps:
66+
- name: Harden the runner (Audit all outbound calls)
67+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
68+
with:
69+
egress-policy: audit
70+
6671
- name: Checkout
6772
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
68-
uses: actions/checkout@v6
73+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6974

7075
- name: Setup Ruby & RubyGems
7176
if: ${{ (env.ACT && !(startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) || (!env.ACT && (startsWith(matrix.ruby, 'jruby')) || startsWith(matrix.ruby, 'truffleruby')) }}
72-
uses: ruby/setup-ruby@v1.308.0
77+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
7378
with:
7479
ruby-version: ${{ matrix.ruby }}
7580
rubygems: ${{ matrix.rubygems }}

.github/workflows/jruby.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,13 +45,18 @@ jobs:
4545
bundler: default
4646

4747
steps:
48+
- name: Harden the runner (Audit all outbound calls)
49+
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
50+
with:
51+
egress-policy: audit
52+
4853
- name: Checkout
4954
if: ${{ !env.ACT }}
50-
uses: actions/checkout@v6
55+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
5156

5257
- name: Setup Ruby & RubyGems
5358
if: ${{ !env.ACT }}
54-
uses: ruby/setup-ruby@v1.308.0
59+
uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
5560
with:
5661
ruby-version: ${{ matrix.ruby }}
5762
rubygems: ${{ matrix.rubygems }}

0 commit comments

Comments
 (0)