diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc75..16eaf8b3d 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -7,13 +7,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@int-sh + - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | @@ -22,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379f..0f92ffd02 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -15,21 +15,21 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0 - name: List all changed files run: | diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f1..e9f8c3488 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -14,14 +14,19 @@ jobs: runs-on: ubuntu-latest name: Test changed-files steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0 - name: List all changed files run: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f42852631..187746b30 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,16 +6,16 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/tj-actions-changed-files-incident.yaml b/.github/workflows/tj-actions-changed-files-incident.yaml index 7426c56fb..0e1553d5f 100644 --- a/.github/workflows/tj-actions-changed-files-incident.yaml +++ b/.github/workflows/tj-actions-changed-files-incident.yaml @@ -14,19 +14,19 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 with: disable-sudo: true egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@039afcd1024c210363c9d3fc8fd07e1f3fcf2867 # v35.9.3 - name: List all changed files run: | diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml index 50ca25cb9..1a8bd20ef 100644 --- a/.github/workflows/toc-tou.yml +++ b/.github/workflows/toc-tou.yml @@ -15,7 +15,12 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Wait for demo purposes run: | @@ -40,7 +45,12 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Wait for demo purposes run: | @@ -48,7 +58,7 @@ jobs: sleep 120 # SECURE: Gets exactly the code that was approved - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }}