From 8c004815010c780e11681aa29b12b20f6fa42d0c Mon Sep 17 00:00:00 2001 From: amankong Date: Wed, 2 Jul 2025 17:30:15 +0530 Subject: [PATCH] chore: add Harden Runner to all workflows --- .github/workflows/cleanup-preview-packages.yaml | 4 ++++ .github/workflows/commitlint.yaml | 4 ++++ .github/workflows/pr-closed.yaml | 4 ++++ .github/workflows/publish.yaml | 8 ++++++++ .github/workflows/test.yaml | 4 ++++ 5 files changed, 24 insertions(+) diff --git a/.github/workflows/cleanup-preview-packages.yaml b/.github/workflows/cleanup-preview-packages.yaml index 9fd4a595..03578a01 100644 --- a/.github/workflows/cleanup-preview-packages.yaml +++ b/.github/workflows/cleanup-preview-packages.yaml @@ -19,6 +19,10 @@ jobs: GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 3436274d..7cb730bc 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -9,6 +9,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.github/workflows/pr-closed.yaml b/.github/workflows/pr-closed.yaml index 69ef6866..2099c15d 100644 --- a/.github/workflows/pr-closed.yaml +++ b/.github/workflows/pr-closed.yaml @@ -11,6 +11,10 @@ jobs: env: NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 78f6c74b..79ba42b6 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -16,6 +16,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -67,6 +71,10 @@ jobs: group: 'pages' cancel-in-progress: false steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 46501d87..e53bf772 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -22,6 +22,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 20 steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Remove preview consumption comment if: github.event_name == 'pull_request' uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1