From 2033afc794e088e449d6ce8b1efeeb859d1ecfec Mon Sep 17 00:00:00 2001
From: "D. Ror" <imnasnainaec@gmail.com>
Date: Wed, 10 Jul 2024 10:13:24 -0400
Subject: [PATCH] [GHA] Add StepSecurity workflow updates (#3242)

Co-authored-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/actions/combine-build/action.yml |  4 ++--
 .github/workflows/dependency-review.yml  | 27 ++++++++++++++++++++++++
 .github/workflows/deploy_qa.yml          |  5 +++++
 .github/workflows/deploy_release.yml     |  5 +++++
 4 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/actions/combine-build/action.yml b/.github/actions/combine-build/action.yml
index 0a53f53c00..c20e6521f5 100644
--- a/.github/actions/combine-build/action.yml
+++ b/.github/actions/combine-build/action.yml
@@ -41,14 +41,14 @@ runs:
       shell: bash
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
         aws-region: ${{ inputs.aws_default_region }}
 
     - name: Login to AWS ECR
-      uses: docker/login-action@v2
+      uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
       with:
         registry: ${{ inputs.image_registry }}
         username: ${{ inputs.aws_access_key_id }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000000..7c99d2fd90
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: "Dependency Review"
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: "Dependency Review"
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml
index d077971371..bcab832f05 100644
--- a/.github/workflows/deploy_qa.yml
+++ b/.github/workflows/deploy_qa.yml
@@ -97,6 +97,11 @@ jobs:
     if: ${{ github.ref_name == 'master' }}
     runs-on: [self-hosted, thecombine]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Deploy The Combine Update
         uses: ./.github/actions/combine-deploy-update
diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
index 63270ea76d..527c18d793 100644
--- a/.github/workflows/deploy_release.yml
+++ b/.github/workflows/deploy_release.yml
@@ -66,6 +66,11 @@ jobs:
     needs: build
     runs-on: [self-hosted, thecombine]
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 0