From 8bdbb284da34e5effd48bb7d5e6306cdcbafabfb Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 16 Sep 2025 19:03:42 +0100 Subject: [PATCH] chore(ci): enable harden-runner action on all workflows --- .github/workflows/build-dx-hwe.yml | 5 +++++ .github/workflows/build-iso.yml | 10 ++++++++++ .github/workflows/build-regular-hwe.yml | 5 +++++ .github/workflows/content-filter.yaml | 9 +++++++-- .../workflows/generate-changelog-release.yml | 6 +++++- .github/workflows/reusable-build-image.yml | 20 +++++++++++++++++++ .github/workflows/validate-renovate.yaml | 5 +++++ 7 files changed, 57 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-dx-hwe.yml b/.github/workflows/build-dx-hwe.yml index 50b8441c..43320e8f 100644 --- a/.github/workflows/build-dx-hwe.yml +++ b/.github/workflows/build-dx-hwe.yml @@ -41,6 +41,11 @@ jobs: packages: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml index f7a0d105..8e0a7940 100644 --- a/.github/workflows/build-iso.yml +++ b/.github/workflows/build-iso.yml @@ -31,6 +31,11 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Set Build Matrix id: set-matrix run: | @@ -57,6 +62,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 diff --git a/.github/workflows/build-regular-hwe.yml b/.github/workflows/build-regular-hwe.yml index 6fb62b6a..0e773c02 100644 --- a/.github/workflows/build-regular-hwe.yml +++ b/.github/workflows/build-regular-hwe.yml @@ -40,6 +40,11 @@ jobs: packages: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 diff --git a/.github/workflows/content-filter.yaml b/.github/workflows/content-filter.yaml index 942136e9..dac26e57 100644 --- a/.github/workflows/content-filter.yaml +++ b/.github/workflows/content-filter.yaml @@ -11,5 +11,10 @@ jobs: comment-filter: runs-on: ubuntu-latest steps: - - name: Comment filter - uses: DecimalTurn/Comment-Filter@9c95bdb06ae1dd6b8185d58f52a07a2a71e19d94 # v0.2.2 + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + + - name: Comment filter + uses: DecimalTurn/Comment-Filter@9c95bdb06ae1dd6b8185d58f52a07a2a71e19d94 # v0.2.2 diff --git a/.github/workflows/generate-changelog-release.yml b/.github/workflows/generate-changelog-release.yml index 0092864f..7c50d178 100644 --- a/.github/workflows/generate-changelog-release.yml +++ b/.github/workflows/generate-changelog-release.yml @@ -40,6 +40,11 @@ jobs: matrix: version: ["lts"] steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Checkout repository with full history uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: @@ -97,4 +102,3 @@ jobs: ./output.env ./changelog.md retention-days: 30 - diff --git a/.github/workflows/reusable-build-image.yml b/.github/workflows/reusable-build-image.yml index b3736c1a..28c31dac 100644 --- a/.github/workflows/reusable-build-image.yml +++ b/.github/workflows/reusable-build-image.yml @@ -72,6 +72,11 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Set matrix id: set-matrix env: @@ -104,6 +109,11 @@ jobs: image_tag: ${{ steps.build-image.outputs.image_tag }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Install dependencies if: matrix.platform == 'arm64' run: | @@ -317,6 +327,11 @@ jobs: image: ${{ steps.push_manifest.outputs.IMAGE }} digest: ${{ steps.push_manifest.outputs.DIGEST }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Install dependencies run: | apk add jq git podman uutils bash conmon crun netavark fuse-overlayfs libstdc++ @@ -480,6 +495,11 @@ jobs: packages: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Login to GitHub Container Registry if: ${{ inputs.publish }} env: diff --git a/.github/workflows/validate-renovate.yaml b/.github/workflows/validate-renovate.yaml index 80c7229d..7bcce4e5 100644 --- a/.github/workflows/validate-renovate.yaml +++ b/.github/workflows/validate-renovate.yaml @@ -16,6 +16,11 @@ jobs: validate: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5