diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index c8bb409..f41bc0c 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -26,6 +26,18 @@ jobs: Build: runs-on: ${{ inputs.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 + release-assets.githubusercontent.com:443 + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: @@ -72,7 +84,7 @@ jobs: run: python -m build - name: Store the distribution packages - uses: actions/upload-artifact@v7.0.1 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 # upload artifacts with the oldest supported version if: runner.os == 'linux' && inputs.python-version == '3.9' with: diff --git a/.github/workflows/_build_doc.yaml b/.github/workflows/_build_doc.yaml index dc4dbe2..39f0865 100644 --- a/.github/workflows/_build_doc.yaml +++ b/.github/workflows/_build_doc.yaml @@ -25,6 +25,13 @@ jobs: Build: runs-on: ${{ inputs.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + # sudo is required by the "Install dependencies" step below (apt-get pandoc) + disable-sudo: false + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/_codeql.yaml b/.github/workflows/_codeql.yaml index 1ec1dcc..6168e30 100644 --- a/.github/workflows/_codeql.yaml +++ b/.github/workflows/_codeql.yaml @@ -38,12 +38,18 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4.36.2 + uses: github/codeql-action/init@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: languages: python # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +62,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4.36.2 + uses: github/codeql-action/autobuild@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 # â„šī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -69,6 +75,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4.36.2 + uses: github/codeql-action/analyze@1a818fd5f97ed0ee9a823421bd5b171add01227f # v4.36.2 with: category: "/language:python" diff --git a/.github/workflows/_pre_commit.yaml b/.github/workflows/_pre_commit.yaml index 2208574..9102684 100644 --- a/.github/workflows/_pre_commit.yaml +++ b/.github/workflows/_pre_commit.yaml @@ -18,6 +18,12 @@ jobs: Pre-Commit: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 diff --git a/.github/workflows/_test.yaml b/.github/workflows/_test.yaml index b301f49..9f9fd62 100644 --- a/.github/workflows/_test.yaml +++ b/.github/workflows/_test.yaml @@ -33,6 +33,12 @@ jobs: OS: ${{ inputs.os }} PYTHON: ${{ inputs.python-version }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index ffd7e4d..f964568 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -103,14 +103,30 @@ jobs: name: testpypi url: https://test.pypi.org/p/python-cmethods steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + fulcio.sigstore.dev + ghcr.io + github.com:443 + pkg-containers.githubusercontent.com:443 + rekor.sigstore.dev + test.pypi.org + tuf-repo-cdn.sigstore.dev + uploads.github.com:443 + - name: Download all the distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions path: dist/ - name: Publish package distributions to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: repository-url: https://test.pypi.org/legacy/ @@ -138,13 +154,30 @@ jobs: name: pypi url: https://pypi.org/p/python-cmethods steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + fulcio.sigstore.dev + ghcr.io + github.com:443 + pkg-containers.githubusercontent.com:443 + pypi.org + rekor.sigstore.dev + tuf-repo-cdn.sigstore.dev + upload.pypi.org + uploads.github.com:443 + - name: Download all the distributions - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: python-package-distributions path: dist/ - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: repository-url: https://upload.pypi.org/legacy/ diff --git a/.github/workflows/dependabot_auto_approve.yaml b/.github/workflows/dependabot_auto_approve.yaml index 50d8862..cd2886f 100644 --- a/.github/workflows/dependabot_auto_approve.yaml +++ b/.github/workflows/dependabot_auto_approve.yaml @@ -22,9 +22,15 @@ jobs: runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v3.1.0 + uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - name: Approve a PR diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 9f9b7e4..bbc9f11 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,12 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + disable-sudo: true + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: