[StepSecurity] ci: Harden GitHub Actions (#1034)

* [StepSecurity] ci: Harden GitHub Actions in ci.yml * [StepSecurity] ci: Harden GitHub Actions in codeql-analysis.yml
2022-09-28 23:04:18 -07:00 · 2022-09-28 23:04:18 -07:00 · 0095cd8ca2
parent 8415c4a005
commit 0095cd8ca2
2 changed files with 38 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -35,6 +35,11 @@ jobs:
          - "pypy-3.8"

    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
@ -60,6 +65,11 @@ jobs:
    needs: tests

    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
@ -90,6 +100,11 @@ jobs:
    name: Build docs & run doctests
    runs-on: ubuntu-latest
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
@ -103,6 +118,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - uses: actions/checkout@v3
      - uses: hynek/build-and-inspect-python-package@v1

@ -114,6 +134,11 @@ jobs:
        os: [ubuntu-latest, windows-latest]

    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
@ -133,6 +158,11 @@ jobs:
    runs-on: ubuntu-latest

    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1
        with:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -9,6 +9,9 @@ on:
  schedule:
    - cron: '30 22 * * 4'

+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
@ -24,6 +27,11 @@ jobs:
        language: [ 'python' ]

    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v1
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
    - name: Checkout repository
      uses: actions/checkout@v3