From cdc0666d46834a7f8d397dcef6357de9121deb73 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 15 Jul 2026 17:36:51 +0000 Subject: [PATCH] Apply GitHub Actions security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 19 ++++++++++++++ .github/workflows/check-flake.yml | 7 ++++- .github/workflows/pr-check-signed-commits.yml | 8 ++++++ .github/workflows/test.yaml | 26 +++++++++++++++---- .../workflows/update-flake-dependencies.yml | 7 ++++- 5 files changed, 60 insertions(+), 7 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..87e2331ff --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + cooldown: + default-days: 7 + + - package-ecosystem: gomod + directory: / + schedule: + interval: weekly + day: monday + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 diff --git a/.github/workflows/check-flake.yml b/.github/workflows/check-flake.yml index 3905d2049..8a72490b4 100644 --- a/.github/workflows/check-flake.yml +++ b/.github/workflows/check-flake.yml @@ -11,7 +11,12 @@ jobs: check-flake: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 with: diff --git a/.github/workflows/pr-check-signed-commits.yml b/.github/workflows/pr-check-signed-commits.yml index 425472107..db0700c64 100644 --- a/.github/workflows/pr-check-signed-commits.yml +++ b/.github/workflows/pr-check-signed-commits.yml @@ -1,6 +1,9 @@ name: Check signed commits in PR on: pull_request_target +permissions: + contents: read + jobs: build: name: Check signed commits in PR @@ -9,5 +12,10 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check signed commits in PR uses: 1Password/check-signed-commits-action@main diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 03edd1c69..83046df7a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -10,16 +10,24 @@ on: - "**.md" - ".github/ISSUE_TEMPLATE/**" +permissions: + contents: read + jobs: build: name: Test runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Go 1.x - uses: actions/setup-go@v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: ^1.18 @@ -29,19 +37,27 @@ jobs: - name: Validate run: make validate golangci: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Lint runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: "Set up Go 1.x" - uses: actions/setup-go@v6 + uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 with: go-version: 1.19 - name: Lint with golangci-lint - uses: golangci/golangci-lint-action@ba0d7d2ec06a0ea1cb5fa41b2e4a3ab91d21278a # v9 + uses: step-security/golangci-lint-action@ce3368d2f0a15c79206a120861e3f847c8beb466 # v9.2.1 with: # version of golangci-lint to use # Version should stay in sync with version used for local linting (lint job in Makefile). diff --git a/.github/workflows/update-flake-dependencies.yml b/.github/workflows/update-flake-dependencies.yml index ff5e0923e..1c318002e 100644 --- a/.github/workflows/update-flake-dependencies.yml +++ b/.github/workflows/update-flake-dependencies.yml @@ -8,7 +8,12 @@ jobs: update-dependencies: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 + with: + egress-policy: audit + + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: DeterminateSystems/nix-installer-action@ef8a148080ab6020fd15196c2084a2eea5ff2d25 # v22 - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13 with: