From 6d596d7bb79da92c4842e8ef93c8addbdd32608f Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Wed, 29 May 2024 15:39:15 -0500 Subject: [PATCH] Use harden-runner Action for all Workflows (#506) * Use harden-runner Action for all Workflows Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Test fmt Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> * Auto-format files * Add block policies Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --------- Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> Co-authored-by: panther-bot-automation --- .github/workflows/asana.yml | 9 +++++++++ .github/workflows/ci.yml | 12 ++++++++++++ .github/workflows/fmt.yml | 11 +++++++++++ .github/workflows/test_release_publish.yml | 7 +++++++ .github/workflows/version_bump_pr.yml | 6 ++++++ 5 files changed, 45 insertions(+) diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml index cf57ab6b..d13c3de0 100644 --- a/.github/workflows/asana.yml +++ b/.github/workflows/asana.yml @@ -6,11 +6,17 @@ on: - opened - closed +permissions: + contents: read + jobs: update_task_on_pr_open: if: ${{ github.event.pull_request.state == 'open' }} runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit - uses: panther-labs/github-asana-action@v3.0.7 name: Adds a comment to the related Asana task whenever a PR has been opened with: @@ -30,6 +36,9 @@ jobs: if: ${{ github.event.pull_request.state == 'closed' }} runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit - uses: panther-labs/github-asana-action@v3.0.7 name: Adds a comment to the related Asana task when the PR is closed with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50621d20..30dcb9d3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,9 +1,21 @@ on: [push, pull_request] +permissions: + contents: read + jobs: ci: runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + ipinfo.io:443 + pypi.org:443 - name: Checkout uses: actions/checkout@v3.1.0 - name: Setup Python diff --git a/.github/workflows/fmt.yml b/.github/workflows/fmt.yml index 95d9c03b..157b6f88 100644 --- a/.github/workflows/fmt.yml +++ b/.github/workflows/fmt.yml @@ -6,10 +6,21 @@ on: branches: - '*' # Match all branches +permissions: + contents: write + jobs: fmt: runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/test_release_publish.yml b/.github/workflows/test_release_publish.yml index 58caa8aa..445980c5 100644 --- a/.github/workflows/test_release_publish.yml +++ b/.github/workflows/test_release_publish.yml @@ -3,11 +3,18 @@ name: Build, Test, Publish Github and PyPI Releases on: workflow_dispatch: +permissions: + contents: write + jobs: publish_github_release_and_pypi: runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit + - name: Check out the repository uses: actions/checkout@v3 with: diff --git a/.github/workflows/version_bump_pr.yml b/.github/workflows/version_bump_pr.yml index 2a2d3457..3fe3f741 100644 --- a/.github/workflows/version_bump_pr.yml +++ b/.github/workflows/version_bump_pr.yml @@ -8,11 +8,17 @@ on: required: true default: 'minor' +permissions: + contents: write + jobs: version_bump_pr: runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + with: + egress-policy: audit - name: Check out the repository uses: actions/checkout@v3 with: