From db42c1dfa082aaf8f89db6f48db66faf90eab88c Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Tue, 14 Jul 2026 23:44:26 +0000 Subject: [PATCH] Apply GitHub Actions security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 8 ++++++ .github/workflows/check-signed-commits.yml | 8 ++++++ .github/workflows/ok-to-test.yml | 10 ++++++- .github/workflows/validate.yml | 32 +++++++++++++++++----- 4 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9cbb9b7c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 diff --git a/.github/workflows/check-signed-commits.yml b/.github/workflows/check-signed-commits.yml index 42547210..db0700c6 100644 --- a/.github/workflows/check-signed-commits.yml +++ b/.github/workflows/check-signed-commits.yml @@ -1,6 +1,9 @@ name: Check signed commits in PR on: pull_request_target +permissions: + contents: read + jobs: build: name: Check signed commits in PR @@ -9,5 +12,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check signed commits in PR uses: 1Password/check-signed-commits-action@main diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml index 136e4fdf..3d7f1553 100644 --- a/.github/workflows/ok-to-test.yml +++ b/.github/workflows/ok-to-test.yml @@ -5,6 +5,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: ok-to-test: runs-on: ubuntu-latest @@ -14,8 +17,13 @@ jobs: # Only run for PRs, not issue comments if: ${{ github.event.issue.pull_request }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Slash Command Dispatch - uses: peter-evans/slash-command-dispatch@v3 + uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2 with: token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 89269365..5669e0cc 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,6 +11,9 @@ on: repository_dispatch: types: [ ok-to-test-command ] +permissions: + contents: read + jobs: test-trusted: @@ -22,9 +25,14 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: ${{ matrix.python-version }} - name: Integration Test @@ -48,10 +56,15 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: '3.x' @@ -83,13 +96,18 @@ jobs: steps: # Check out merge commit + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Fork based /ok-to-test checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.event.client_payload.pull_request.head.sha }} - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: '3.x' @@ -112,7 +130,7 @@ jobs: python example/example.py # Update check run called "integration-fork" on the forked PR - - uses: actions/github-script@v6 + - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 id: update-check-run if: ${{ always() }} env: