Skip to content

Commit 4ba8a95

Browse files
sebthomsebthom
committed
ci: harden build workflow
1 parent efbf928 commit 4ba8a95

1 file changed

Lines changed: 23 additions & 8 deletions

File tree

.github/workflows/build.yml

Lines changed: 23 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,10 @@ env:
4646
TRIVY_CACHE_DIR: ~/.trivy/cache
4747

4848

49+
permissions: # added using https://github.com/step-security/secure-repo
50+
contents: read
51+
52+
4953
jobs:
5054

5155
###########################################################
@@ -58,6 +62,12 @@ jobs:
5862
packages: write
5963

6064
steps:
65+
- name: Harden the runner (Audit all outbound calls)
66+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
67+
with:
68+
egress-policy: audit
69+
70+
6171
- name: "Show: GitHub context"
6272
env:
6373
GITHUB_CONTEXT: ${{ toJSON(github) }}
@@ -69,11 +79,11 @@ jobs:
6979

7080

7181
- name: Git Checkout
72-
uses: actions/checkout@v6 # https://github.com/actions/checkout
82+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7383

7484

7585
- name: Run the sh-checker
76-
uses: luizm/action-sh-checker@master # https://github.com/marketplace/actions/sh-checker
86+
uses: luizm/action-sh-checker@883217215b11c1fabbf00eb1a9a041f62d74c744 # master
7787
env:
7888
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7989
SHFMT_OPTS: --simplify --keep-padding
@@ -84,13 +94,13 @@ jobs:
8494

8595

8696
- name: Check Dockerfile
87-
uses: hadolint/hadolint-action@v3.3.0
97+
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
8898
with:
8999
dockerfile: image/Dockerfile
90100

91101

92102
- name: Cache trivy cache
93-
uses: actions/cache@v5
103+
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
94104
with:
95105
path: ${{ env.TRIVY_CACHE_DIR }}
96106
# https://github.com/actions/cache/issues/342#issuecomment-673371329
@@ -100,7 +110,7 @@ jobs:
100110
101111
102112
- name: Configure fast APT repository mirror
103-
uses: vegardit/fast-apt-mirror.sh@v1
113+
uses: vegardit/fast-apt-mirror.sh@29a5ef3401107220fc3c32a0c659b6a1211f9e0f # v1
104114

105115

106116
- name: Install dos2unix
@@ -123,15 +133,15 @@ jobs:
123133
124134
- name: Login to docker.io
125135
if: ${{ env.DOCKER_PUSH }}
126-
uses: docker/login-action@v4
136+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
127137
with:
128138
username: ${{ secrets.DOCKER_HUB_USERNAME }}
129139
password: ${{ secrets.DOCKER_HUB_TOKEN }}
130140

131141

132142
- name: Login to ghcr.io
133143
if: ${{ env.DOCKER_PUSH_GHCR }}
134-
uses: docker/login-action@v4
144+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
135145
with:
136146
registry: ghcr.io
137147
username: ${{ github.actor }}
@@ -164,8 +174,13 @@ jobs:
164174
packages: write
165175

166176
steps:
177+
- name: Harden the runner (Audit all outbound calls)
178+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
179+
with:
180+
egress-policy: audit
181+
167182
- name: Delete untagged images
168-
uses: dataaxiom/ghcr-cleanup-action@v1
183+
uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
169184
with:
170185
package: ${{ env.DOCKER_REPO_NAME }}
171186
delete-untagged: true

0 commit comments

Comments
 (0)