chore: [StepSecurity] Harden GitHub Actions (#515)

step-security-bot · web-flow · commit 799a6d53da04 · 2023-02-23T08:52:56.000-08:00
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -9,11 +9,16 @@ jobs:
       matrix:
         runtime: ['nodejs10', 'nodejs12', 'nodejs14', 'nodejs16']
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: ${{ matrix.node-version }}
 
@@ -25,7 +30,7 @@ jobs:
       run: npm install
 
     - name: Install conformance client
-      uses: GoogleCloudPlatform/functions-framework-conformance/.github/actions/client/install@v1.7.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/.github/actions/client/install@42e1d91749b9c9d59fe405c254dc5de4b3b801ca # v1.7.0
       with:
         client-version: v1.7.0
         cache-path: ~/client
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -4,13 +4,21 @@ on:
     branches:
     - master
   pull_request:
+permissions:
+  contents: read
+
 jobs:
   docs:
     runs-on: ubuntu-18.04
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Setup Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: '14'
     - name: Install dependencies
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,13 +4,21 @@ on:
     branches:
     - master
   pull_request:
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-18.04
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Setup Node.js
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
     - name: Install dependencies
       run: npm install
     - name: Build TypeScript project
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -3,17 +3,25 @@ on:
     types: [created]
   workflow_dispatch:
 name: publish
+permissions:
+  contents: read
+
 jobs:
   publish-to-npm:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '16.x'
       - run: npm install
       - run: npm run build
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '16.x'
           registry-url: 'https://wombat-dressing-room.appspot.com'
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -24,6 +24,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -4,6 +4,9 @@ on:
     branches:
     - master
   pull_request:
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -12,10 +15,15 @@ jobs:
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
     - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
       with:
         node-version: ${{ matrix.node-version }}
     - name: Install dependencies
