Skip to content

Commit b3c15ce

Browse files
amanstepamanstep
authored
Merge pull request #132 from step-security/chore/GHA-291518-stepsecurity-remediation
[StepSecurity] Apply security best practices
2 parents 681fcba + f76765d commit b3c15ce

File tree

1 file changed

+20
-5
lines changed

1 file changed

+20
-5
lines changed

.github/workflows/ci.yml

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,12 +30,17 @@ jobs:
3030
permissions:
3131
contents: read
3232
steps:
33-
- uses: actions/checkout@v5
33+
- name: Harden the runner (Audit all outbound calls)
34+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
35+
with:
36+
egress-policy: audit
37+
38+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3439
with:
3540
persist-credentials: false
3641

3742
- name: Use Node.js 24.x
38-
uses: actions/setup-node@v5
43+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
3944
with:
4045
node-version: 24.x
4146

@@ -72,12 +77,17 @@ jobs:
7277
permissions:
7378
contents: read
7479
steps:
75-
- uses: actions/checkout@v5
80+
- name: Harden the runner (Audit all outbound calls)
81+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
82+
with:
83+
egress-policy: audit
84+
85+
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
7686
with:
7787
persist-credentials: false
7888

7989
- name: Use Node.js 24.x
80-
uses: actions/setup-node@v5
90+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
8191
with:
8292
node-version: 24.x
8393

@@ -97,7 +107,7 @@ jobs:
97107
id: diff
98108

99109
# If index.js was different than expected, upload the expected version as an artifact
100-
- uses: actions/upload-artifact@v4
110+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
101111
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
102112
with:
103113
name: dist
@@ -111,6 +121,11 @@ jobs:
111121
- match
112122
timeout-minutes: 30
113123
steps:
124+
- name: Harden the runner (Audit all outbound calls)
125+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
126+
with:
127+
egress-policy: audit
128+
114129
- name: Decide whether the needed jobs succeeded or failed
115130
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
116131
with:

0 commit comments

Comments
 (0)