[StepSecurity] ci: Harden GitHub Actions (#1034)
* [StepSecurity] ci: Harden GitHub Actions in ci.yml * [StepSecurity] ci: Harden GitHub Actions in codeql-analysis.yml
This commit is contained in:
Step Security Bot
GitHub
parent
8415c4a005
commit
0095cd8ca2
|
|
@ -35,6 +35,11 @@ jobs:
|
||||||
- "pypy-3.8"
|
- "pypy-3.8"
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/setup-python@v4
|
- uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|
@ -60,6 +65,11 @@ jobs:
|
||||||
needs: tests
|
needs: tests
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/setup-python@v4
|
- uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|
@ -90,6 +100,11 @@ jobs:
|
||||||
name: Build docs & run doctests
|
name: Build docs & run doctests
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/setup-python@v4
|
- uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|
@ -103,6 +118,11 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: hynek/build-and-inspect-python-package@v1
|
- uses: hynek/build-and-inspect-python-package@v1
|
||||||
|
|
||||||
|
|
@ -114,6 +134,11 @@ jobs:
|
||||||
os: [ubuntu-latest, windows-latest]
|
os: [ubuntu-latest, windows-latest]
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v3
|
||||||
- uses: actions/setup-python@v4
|
- uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|
@ -133,6 +158,11 @@ jobs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- name: Decide whether the needed jobs succeeded or failed
|
- name: Decide whether the needed jobs succeeded or failed
|
||||||
uses: re-actors/alls-green@release/v1
|
uses: re-actors/alls-green@release/v1
|
||||||
with:
|
with:
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,9 @@ on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '30 22 * * 4'
|
- cron: '30 22 * * 4'
|
||||||
|
|
||||||
|
permissions: # added using https://github.com/step-security/secure-workflows
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analyze:
|
analyze:
|
||||||
name: Analyze
|
name: Analyze
|
||||||
|
|
@ -24,6 +27,11 @@ jobs:
|
||||||
language: [ 'python' ]
|
language: [ 'python' ]
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
- name: Harden Runner
|
||||||
|
uses: step-security/harden-runner@v1
|
||||||
|
with:
|
||||||
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue