From 0095cd8ca24d15aa4e99f188eb9c229ed87cd22b Mon Sep 17 00:00:00 2001
From: Step Security Bot <bot@stepsecurity.io>
Date: Wed, 28 Sep 2022 23:04:18 -0700
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#1034)

* [StepSecurity] ci: Harden GitHub Actions in ci.yml

* [StepSecurity] ci: Harden GitHub Actions in codeql-analysis.yml
---
 .github/workflows/ci.yml              | 30 +++++++++++++++++++++++++++
 .github/workflows/codeql-analysis.yml |  8 +++++++
 2 files changed, 38 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2df2a233..7c7539df 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,6 +35,11 @@ jobs:
           - "pypy-3.8"
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -60,6 +65,11 @@ jobs:
     needs: tests
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -90,6 +100,11 @@ jobs:
     name: Build docs & run doctests
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -103,6 +118,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v3
       - uses: hynek/build-and-inspect-python-package@v1
 
@@ -114,6 +134,11 @@ jobs:
         os: [ubuntu-latest, windows-latest]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -133,6 +158,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Decide whether the needed jobs succeeded or failed
         uses: re-actors/alls-green@release/v1
         with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e43801ab..28635dd3 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: '30 22 * * 4'
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -24,6 +27,11 @@ jobs:
         language: [ 'python' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v1
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repository
       uses: actions/checkout@v3