Use harden-runner Action for all Workflows (#506)

* Use harden-runner Action for all Workflows Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Test fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Auto-format files * Add block policies Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: panther-bot-automation <github-service-account-automation@panther.io>
panther-labs · May 29, 2024 · 6d596d7 · 6d596d7
1 parent 33b6ce4
commit 6d596d7
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 0 deletions.
diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml
@@ -6,11 +6,17 @@ on:
       - opened
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   update_task_on_pr_open:
     if: ${{ github.event.pull_request.state == 'open' }}
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
       - uses: panther-labs/github-asana-action@v3.0.7
         name: Adds a comment to the related Asana task whenever a PR has been opened
         with:
@@ -30,6 +36,9 @@ jobs:
     if: ${{ github.event.pull_request.state == 'closed' }}
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
       - uses: panther-labs/github-asana-action@v3.0.7
         name: Adds a comment to the related Asana task when the PR is closed
         with:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,9 +1,21 @@
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            ipinfo.io:443
+            pypi.org:443
       - name: Checkout
         uses: actions/checkout@v3.1.0
       - name: Setup Python

diff --git a/.github/workflows/fmt.yml b/.github/workflows/fmt.yml
@@ -6,10 +6,21 @@ on:
     branches:
       - '*' # Match all branches
 
+permissions:
+  contents: write
+
 jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
       - name: Checkout
         uses: actions/checkout@v3
 

diff --git a/.github/workflows/test_release_publish.yml b/.github/workflows/test_release_publish.yml
@@ -3,11 +3,18 @@ name: Build, Test, Publish Github and PyPI Releases
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   publish_github_release_and_pypi:
     runs-on: ubuntu-latest
 
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
     - name: Check out the repository
       uses: actions/checkout@v3
       with:

diff --git a/.github/workflows/version_bump_pr.yml b/.github/workflows/version_bump_pr.yml
@@ -8,11 +8,17 @@ on:
         required: true
         default: 'minor'
 
+permissions:
+  contents: write
+
 jobs:
   version_bump_pr:
     runs-on: ubuntu-latest
 
     steps:
+    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
     - name: Check out the repository
       uses: actions/checkout@v3
       with: