Merge pull request #84 from step-security-bot/stepsecurity_remediatio…

…n_1715976143 [StepSecurity] ci: Harden GitHub Actions
Nick2bad4u · May 17, 2024 · 63e9933 · 63e9933
2 parents 6059d0e + dd8d113
commit 63e9933
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml
@@ -6,5 +6,10 @@ jobs:
   black-linter:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: psf/black@stable
+      - name: Harden Runner
+        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: psf/black@3702ba224ecffbcec30af640c149f231d90aebdb # stable
diff --git a/.github/workflows/endorlabs.yml b/.github/workflows/endorlabs.yml
@@ -11,6 +11,9 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '39 0 * * 4'
+permissions:
+  contents: read
+
 jobs:
   scan:
     permissions:
@@ -20,8 +23,13 @@ jobs:
       id-token: write # Used for keyless authentication to Endor Labs
     runs-on: windows-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
     #### Package Build Instructions
     ### Use this section to define the build steps used by your software package.
     ### Endor Labs builds your software for you where possible but the required build tools must be made available.