From 12a74338d94463c79019be34770ff120cab8556c Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:59:24 +0000 Subject: [PATCH] Apply GitHub Actions security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 8 ++++++++ .github/workflows/pr-check-signed-commits.yml | 5 +++++ .github/workflows/release-pr.yml | 16 +++++++++++++--- .github/workflows/release.yml | 13 +++++++++---- .github/workflows/test.yml | 9 +++++++-- example/Dockerfile | 2 +- 6 files changed, 43 insertions(+), 10 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..9cbb9b7 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/pr-check-signed-commits.yml b/.github/workflows/pr-check-signed-commits.yml index 584bac2..218adc5 100644 --- a/.github/workflows/pr-check-signed-commits.yml +++ b/.github/workflows/pr-check-signed-commits.yml @@ -11,5 +11,10 @@ jobs: name: Check signed commits in PR runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check signed commits in PR uses: 1Password/check-signed-commits-action@v1 diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index f0125c9..a56e48e 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -18,9 +18,14 @@ jobs: outputs: result: ${{ steps.is_release_branch_without_pr.outputs.result }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - id: is_release_branch_without_pr name: Find matching PR - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -46,7 +51,12 @@ jobs: name: Create Release Pull Request runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Parse release version id: get_version @@ -78,7 +88,7 @@ jobs: - name: Create Pull Request via API id: post_pr - uses: octokit/request-action@v2.x + uses: octokit/request-action@02f5e7c637a73a3b12ed81015fa7fb5f11cc5d7d # v2.x with: route: POST /repos/${{ github.repository }}/pulls title: ${{ format('Prepare Release - v{0}', steps.get_version.outputs.version) }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bfe2942..391c03f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,12 +13,17 @@ jobs: runs-on: ubuntu-latest if: github.event.pull_request.merged == true && contains(github.event.pull_request.head.ref, 'release/') steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 with: fetch-depth: 0 - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.10' - name: Install dependencies @@ -29,7 +34,7 @@ jobs: - name: Build the package run: poetry build - name: Publish to PyPi - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: password: ${{ secrets.PYPI_API_TOKEN }} - name: Create Release tag @@ -40,7 +45,7 @@ jobs: release_tag=$(echo "$PR_REF" | cut -d "/" -f2) echo "::set-output name=release-tag::$release_tag" - name: Make new release - uses: ncipollo/release-action@v1 + uses: step-security/release-action@a0d8e0f90f554c15366ca2c9046bf4090d24adbe # v1.21.0 with: token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ steps.create-tag.outputs.release-tag }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 308e584..6c48191 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,12 +13,17 @@ jobs: name: Test runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.10' - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 - name: Install dependencies run: | python -m pip install --upgrade pip diff --git a/example/Dockerfile b/example/Dockerfile index c5ba4db..019935a 100644 --- a/example/Dockerfile +++ b/example/Dockerfile @@ -1,4 +1,4 @@ -FROM python:latest +FROM python:latest@sha256:2a8b92a1e9eb6ef2c888eb7e6c91283788c6d613fdc8fc22e12346aff7c4406d WORKDIR /usr/src/app