File tree Expand file tree Collapse file tree 15 files changed +192
-0
lines changed Expand file tree Collapse file tree 15 files changed +192
-0
lines changed Original file line number Diff line number Diff line change 2929 if : github.event.pull_request.draft == false
3030 runs-on : ubuntu-24.04
3131 steps :
32+ - name : Harden Runner
33+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
34+ with :
35+ egress-policy : audit
36+
3237 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3338 - uses : dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
3439 id : changes
6166 PUSH : ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }}
6267
6368 steps :
69+ - name : Harden Runner
70+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
71+ with :
72+ egress-policy : audit
73+
6474 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
6575
6676 # Lint the Dockerfile first before setting anything up
@@ -199,6 +209,11 @@ jobs:
199209 DOCKER_REPO : ghcr.io/${{ github.repository }}
200210
201211 steps :
212+ - name : Harden Runner
213+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
214+ with :
215+ egress-policy : audit
216+
202217 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
203218 - name : Set up Docker Buildx
204219 uses : docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
@@ -240,5 +255,10 @@ jobs:
240255 platform : [linux/arm64/v8, linux/amd64, linux/arm/v7]
241256 runs-on : ubuntu-24.04
242257 steps :
258+ - name : Harden Runner
259+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
260+ with :
261+ egress-policy : audit
262+
243263 - run : ' echo "No build required"'
244264
Original file line number Diff line number Diff line change 4343 if : github.event.pull_request.draft == false
4444 runs-on : ubuntu-24.04
4545 steps :
46+ - name : Harden Runner
47+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
48+ with :
49+ egress-policy : audit
50+
4651 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4752 - uses : dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
4853 id : changes
7277 # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
7378
7479 steps :
80+ - name : Harden Runner
81+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
82+ with :
83+ egress-policy : audit
84+
7585 - name : Checkout repository
7686 uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
7787
@@ -117,4 +127,9 @@ jobs:
117127 language : [ 'go', 'javascript' ]
118128 runs-on : ubuntu-24.04
119129 steps :
130+ - name : Harden Runner
131+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
132+ with :
133+ egress-policy : audit
134+
120135 - run : ' echo "No build required"'
Original file line number Diff line number Diff line change 1+ # Dependency Review Action
2+ #
3+ # This Action will scan dependency manifest files that change as part of a Pull Request,
4+ # surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+ # Once installed, if the workflow run is marked as required,
6+ # PRs introducing known-vulnerable packages will be blocked from merging.
7+ #
8+ # Source repository: https://github.com/actions/dependency-review-action
9+ name : ' Dependency Review'
10+ on : [pull_request]
11+
12+ permissions :
13+ contents : read
14+
15+ jobs :
16+ dependency-review :
17+ runs-on : ubuntu-latest
18+ steps :
19+ - name : Harden Runner
20+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
21+ with :
22+ egress-policy : audit
23+
24+ - name : ' Checkout Repository'
25+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
26+ - name : ' Dependency Review'
27+ uses : actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
Original file line number Diff line number Diff line change 1919 if : github.event.pull_request.draft == false
2020 runs-on : ubuntu-24.04
2121 steps :
22+ - name : Harden Runner
23+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
24+ with :
25+ egress-policy : audit
26+
2227 - uses : actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5
Original file line number Diff line number Diff line change 3030 if : github.event.pull_request.draft == false
3131 runs-on : ubuntu-24.04
3232 steps :
33+ - name : Harden Runner
34+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
35+ with :
36+ egress-policy : audit
37+
3338 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
3439 - uses : dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
3540 id : changes
4752 name : Linting
4853 runs-on : ubuntu-24.04
4954 steps :
55+ - name : Harden Runner
56+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
57+ with :
58+ egress-policy : audit
59+
5060 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
5161
5262 # need to setup go toolchain explicitly
6676 name : Linting
6777 runs-on : ubuntu-24.04
6878 steps :
79+ - name : Harden Runner
80+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
81+ with :
82+ egress-policy : audit
83+
6984 - run : ' echo "No build required"'
Original file line number Diff line number Diff line change 1515 name : Validate PR title
1616 runs-on : ubuntu-24.04
1717 steps :
18+ - name : Harden Runner
19+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
20+ with :
21+ egress-policy : audit
22+
1823 - uses : amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
1924 env :
2025 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
Original file line number Diff line number Diff line change 1212 runs-on : ubuntu-latest
1313 name : Label the PR size
1414 steps :
15+ - name : Harden Runner
16+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
17+ with :
18+ egress-policy : audit
19+
1520 - uses : codelytv/pr-size-labeler@c7a55a022747628b50f3eb5bf863b9e796b8f274 # v1
1621 with :
1722 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
Original file line number Diff line number Diff line change 1010 goreleaser :
1111 runs-on : ubuntu-24.04
1212 steps :
13+ - name : Harden Runner
14+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
15+ with :
16+ egress-policy : audit
17+
1318 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
1419 with :
1520 submodules : true
Original file line number Diff line number Diff line change 1919 validate :
2020 runs-on : ubuntu-24.04
2121 steps :
22+ - name : Harden Runner
23+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
24+ with :
25+ egress-policy : audit
26+
2227 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2328 - uses : actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
2429 - run : npx --package renovate -c 'renovate-config-validator'
Original file line number Diff line number Diff line change 1919 id-token : write
2020
2121 steps :
22+ - name : Harden Runner
23+ uses : step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2
24+ with :
25+ egress-policy : audit
26+
2227 - name : ' Checkout code'
2328 uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2429 with :
You can’t perform that action at this time.
0 commit comments