diff --git a/.github/workflows/build-and-push-fleetctl-docker.yml b/.github/workflows/build-and-push-fleetctl-docker.yml index a42eb0ddd..8ae3c7069 100644 --- a/.github/workflows/build-and-push-fleetctl-docker.yml +++ b/.github/workflows/build-and-push-fleetctl-docker.yml @@ -29,6 +29,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/build-binaries.yaml b/.github/workflows/build-binaries.yaml index 29faa1eac..ed18437c7 100644 --- a/.github/workflows/build-binaries.yaml +++ b/.github/workflows/build-binaries.yaml @@ -24,6 +24,11 @@ jobs: build-binaries: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/build-orbit.yaml b/.github/workflows/build-orbit.yaml index 40e3c8490..09f296aec 100644 --- a/.github/workflows/build-orbit.yaml +++ b/.github/workflows/build-orbit.yaml @@ -33,6 +33,11 @@ jobs: build: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/check-tuf-timestamps.yml b/.github/workflows/check-tuf-timestamps.yml index 4a67a3d5b..f5c01ec13 100644 --- a/.github/workflows/check-tuf-timestamps.yml +++ b/.github/workflows/check-tuf-timestamps.yml @@ -29,6 +29,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check remote timestamp.json file run: | expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 37e1fd985..246c6418a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,6 +45,11 @@ jobs: # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/deploy-fleet-website.yml b/.github/workflows/deploy-fleet-website.yml index 538291617..9fc044e13 100644 --- a/.github/workflows/deploy-fleet-website.yml +++ b/.github/workflows/deploy-fleet-website.yml @@ -34,6 +34,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Configure our access credentials for the Heroku CLI diff --git a/.github/workflows/deploy-vulnerability-dashboard.yml b/.github/workflows/deploy-vulnerability-dashboard.yml index 05c0b4ff8..5030c2eb1 100644 --- a/.github/workflows/deploy-vulnerability-dashboard.yml +++ b/.github/workflows/deploy-vulnerability-dashboard.yml @@ -22,6 +22,11 @@ jobs: node-version: [14.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Configure our access credentials for the Heroku CLI diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8b0b3a22f..ec0df78a4 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -28,6 +28,11 @@ jobs: contents: read # to read files to check dead links runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15 with: diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml index 393102abd..d13d2f476 100644 --- a/.github/workflows/dogfood-deploy.yml +++ b/.github/workflows/dogfood-deploy.yml @@ -41,6 +41,11 @@ jobs: name: Deploy Fleet Dogfood Environment runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - id: fail-on-main run: "false" diff --git a/.github/workflows/dogfood-gitops.yml b/.github/workflows/dogfood-gitops.yml index de7974b29..43761a5fb 100644 --- a/.github/workflows/dogfood-gitops.yml +++ b/.github/workflows/dogfood-gitops.yml @@ -22,6 +22,11 @@ jobs: timeout-minutes: 10 runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout our repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/fleet-and-orbit.yml b/.github/workflows/fleet-and-orbit.yml index 29d4d82c7..2849c0f56 100644 --- a/.github/workflows/fleet-and-orbit.yml +++ b/.github/workflows/fleet-and-orbit.yml @@ -44,6 +44,11 @@ jobs: address: ${{ steps.gen.outputs.address }} enroll_secret: ${{ steps.gen.outputs.enroll_secret }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - id: gen run: | UUID=$(uuidgen) @@ -62,6 +67,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -171,6 +181,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -214,6 +229,11 @@ jobs: # or if we revise our minimum supported macOS version. runs-on: macos-12 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -255,6 +275,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, build-macos-targets] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -317,6 +342,11 @@ jobs: runs-on: macos-latest needs: [gen, run-tuf-and-gen-pkgs] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -366,6 +396,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, run-tuf-and-gen-pkgs] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download deb id: download uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2 @@ -412,6 +447,11 @@ jobs: needs: [gen, run-tuf-and-gen-pkgs] runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download msi id: download uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2 diff --git a/.github/workflows/fleetctl-preview-latest.yml b/.github/workflows/fleetctl-preview-latest.yml index 839072ed8..dda4e0f73 100644 --- a/.github/workflows/fleetctl-preview-latest.yml +++ b/.github/workflows/fleetctl-preview-latest.yml @@ -57,6 +57,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/fleetctl-preview.yml b/.github/workflows/fleetctl-preview.yml index 9bcfdb737..ab9a69c2b 100644 --- a/.github/workflows/fleetctl-preview.yml +++ b/.github/workflows/fleetctl-preview.yml @@ -27,6 +27,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Test fleetctl preview run: | npm install -g fleetctl diff --git a/.github/workflows/fleetd-tuf.yml b/.github/workflows/fleetd-tuf.yml index 26faf617c..c1617cb86 100644 --- a/.github/workflows/fleetd-tuf.yml +++ b/.github/workflows/fleetd-tuf.yml @@ -25,6 +25,11 @@ jobs: pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/generate-desktop-targets.yml b/.github/workflows/generate-desktop-targets.yml index b2557c1a0..fef2d6075 100644 --- a/.github/workflows/generate-desktop-targets.yml +++ b/.github/workflows/generate-desktop-targets.yml @@ -40,6 +40,11 @@ jobs: runs-on: macos-12 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -88,6 +93,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -111,6 +121,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/generate-nudge-targets.yml b/.github/workflows/generate-nudge-targets.yml index b1771f670..4b7f025f4 100644 --- a/.github/workflows/generate-nudge-targets.yml +++ b/.github/workflows/generate-nudge-targets.yml @@ -33,6 +33,11 @@ jobs: generate-macos: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/generate-osqueryd-targets.yml b/.github/workflows/generate-osqueryd-targets.yml index e2d4933e6..0af9f64be 100644 --- a/.github/workflows/generate-osqueryd-targets.yml +++ b/.github/workflows/generate-osqueryd-targets.yml @@ -33,6 +33,11 @@ jobs: generate-macos: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -49,6 +54,11 @@ jobs: generate-linux: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -69,6 +79,11 @@ jobs: generate-windows: runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 6de7068cc..1d00e3c0d 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -41,6 +41,11 @@ jobs: go-version: ['${{ vars.GO_VERSION }}'] runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml index 8f8f2cd67..f192a624f 100644 --- a/.github/workflows/goreleaser-fleet.yaml +++ b/.github/workflows/goreleaser-fleet.yaml @@ -25,6 +25,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: diff --git a/.github/workflows/goreleaser-orbit.yaml b/.github/workflows/goreleaser-orbit.yaml index 1efd3faec..2f1eb3905 100644 --- a/.github/workflows/goreleaser-orbit.yaml +++ b/.github/workflows/goreleaser-orbit.yaml @@ -24,6 +24,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -73,6 +78,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -101,6 +111,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/goreleaser-snapshot-fleet.yaml b/.github/workflows/goreleaser-snapshot-fleet.yaml index c6fb9c141..65ac166c1 100644 --- a/.github/workflows/goreleaser-snapshot-fleet.yaml +++ b/.github/workflows/goreleaser-snapshot-fleet.yaml @@ -40,6 +40,11 @@ jobs: runs-on: ubuntu-20.04 environment: Docker Hub steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 04f61e743..a6200e984 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -31,6 +31,11 @@ jobs: subdomain: ${{ steps.gen.outputs.subdomain }} address: ${{ steps.gen.outputs.address }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - id: gen run: | UUID=$(uuidgen) @@ -41,6 +46,11 @@ jobs: runs-on: ubuntu-latest needs: gen steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Start tunnel env: CERT_PEM: ${{ secrets.CLOUDFLARE_TUNNEL_FLEETUEM_CERT_B64 }} @@ -136,6 +146,11 @@ jobs: token: ${{ steps.login.outputs.token }} steps: # Download fleet and fleetctl binaries from last successful build on main + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Download binaries uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 with: @@ -178,6 +193,11 @@ jobs: runs-on: macos-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -234,6 +254,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies run: | npm install -g fleetctl @@ -299,6 +324,11 @@ jobs: runs-on: ubuntu-latest needs: [gen, login] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies run: | docker pull fleetdm/wix:latest & @@ -335,6 +365,11 @@ jobs: needs: [gen, login, orbit-windows-build] runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install dependencies shell: bash run: | diff --git a/.github/workflows/pr-helm.yaml b/.github/workflows/pr-helm.yaml index c81c21f7b..4f119e04a 100644 --- a/.github/workflows/pr-helm.yaml +++ b/.github/workflows/pr-helm.yaml @@ -28,6 +28,11 @@ jobs: kube-version: [1.16.0, 1.17.0, 1.18.0] # kubeval is currently lagging behind the active schema versions, so these are the ones we can test against. see https://github.com/instrumenta/kubernetes-json-schema/issues/26 runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: create temp dir diff --git a/.github/workflows/push-osquery-perf-to-ecr.yml b/.github/workflows/push-osquery-perf-to-ecr.yml index c905c92e0..0760d0390 100644 --- a/.github/workflows/push-osquery-perf-to-ecr.yml +++ b/.github/workflows/push-osquery-perf-to-ecr.yml @@ -35,6 +35,11 @@ jobs: build-docker: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-fleetd-chrome-beta.yml b/.github/workflows/release-fleetd-chrome-beta.yml index 7c81d9be4..8f50b02d6 100644 --- a/.github/workflows/release-fleetd-chrome-beta.yml +++ b/.github/workflows/release-fleetd-chrome-beta.yml @@ -24,6 +24,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-fleetd-chrome.yml b/.github/workflows/release-fleetd-chrome.yml index dc168426d..6751d7705 100644 --- a/.github/workflows/release-fleetd-chrome.yml +++ b/.github/workflows/release-fleetd-chrome.yml @@ -25,6 +25,11 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/release-helm.yaml b/.github/workflows/release-helm.yaml index 91ef4e34c..d6d738c36 100644 --- a/.github/workflows/release-helm.yaml +++ b/.github/workflows/release-helm.yaml @@ -24,6 +24,11 @@ jobs: contents: write # to push helm charts runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 with: diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index af1990e9c..59dfd8a7f 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -24,6 +24,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.github/workflows/test-db-changes.yml b/.github/workflows/test-db-changes.yml index 46aafcc9d..301645008 100644 --- a/.github/workflows/test-db-changes.yml +++ b/.github/workflows/test-db-changes.yml @@ -30,6 +30,11 @@ jobs: test-db-changes: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-fleetd-chrome.yml b/.github/workflows/test-fleetd-chrome.yml index d9772cf22..82fa08fc8 100644 --- a/.github/workflows/test-fleetd-chrome.yml +++ b/.github/workflows/test-fleetd-chrome.yml @@ -31,6 +31,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/test-go.yaml b/.github/workflows/test-go.yaml index 0a924f387..69c9b3be6 100644 --- a/.github/workflows/test-go.yaml +++ b/.github/workflows/test-go.yaml @@ -52,6 +52,11 @@ jobs: GO_TEST_TIMEOUT: 15m steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-js.yml b/.github/workflows/test-js.yml index d0e660ba7..9d6352373 100644 --- a/.github/workflows/test-js.yml +++ b/.github/workflows/test-js.yml @@ -37,6 +37,11 @@ jobs: steps: # Set the Node.js version + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Node.js ${{ vars.NODE_VERSION }} uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: @@ -76,6 +81,11 @@ jobs: steps: # Set the Node.js version + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Set up Node.js ${{ vars.NODE_VERSION }} uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: diff --git a/.github/workflows/test-native-tooling-packaging.yml b/.github/workflows/test-native-tooling-packaging.yml index a109100ff..db242cee0 100644 --- a/.github/workflows/test-native-tooling-packaging.yml +++ b/.github/workflows/test-native-tooling-packaging.yml @@ -45,6 +45,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/test-packaging.yml b/.github/workflows/test-packaging.yml index bdf5940aa..113f3c33c 100644 --- a/.github/workflows/test-packaging.yml +++ b/.github/workflows/test-packaging.yml @@ -51,6 +51,11 @@ jobs: # Docker needs to be installed manually on macOS. # From https://github.com/docker/for-mac/issues/2359#issuecomment-943131345 # FIXME: lock Docker version to 4.10.0 as newer versions fail to initialize + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Docker timeout-minutes: 20 if: matrix.os == 'macos-latest' diff --git a/.github/workflows/test-puppet.yml b/.github/workflows/test-puppet.yml index 82531fc27..f537913a5 100644 --- a/.github/workflows/test-puppet.yml +++ b/.github/workflows/test-puppet.yml @@ -28,6 +28,11 @@ jobs: test-puppet: runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Puppet Development Kit run: brew install --cask puppetlabs/puppet/pdk diff --git a/.github/workflows/test-vulnerability-dashboard-changes.yml b/.github/workflows/test-vulnerability-dashboard-changes.yml index 6c7cf2e2a..d2c5cb45f 100644 --- a/.github/workflows/test-vulnerability-dashboard-changes.yml +++ b/.github/workflows/test-vulnerability-dashboard-changes.yml @@ -23,6 +23,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Set the Node.js version diff --git a/.github/workflows/test-website.yml b/.github/workflows/test-website.yml index a9fd54ef3..3045c9d4a 100644 --- a/.github/workflows/test-website.yml +++ b/.github/workflows/test-website.yml @@ -32,6 +32,11 @@ jobs: node-version: [16.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # Set the Node.js version diff --git a/.github/workflows/test-yml-specs.yml b/.github/workflows/test-yml-specs.yml index d4e0ed7db..75e46d6af 100644 --- a/.github/workflows/test-yml-specs.yml +++ b/.github/workflows/test-yml-specs.yml @@ -37,6 +37,11 @@ jobs: runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Install Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 05da7c6e6..6513377a0 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -30,6 +30,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Clone repo uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml index 0d362fe9b..9e0686c46 100644 --- a/.github/workflows/trivy-scan.yml +++ b/.github/workflows/trivy-scan.yml @@ -34,6 +34,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 diff --git a/.github/workflows/update-certs.yml b/.github/workflows/update-certs.yml index 1aa054f68..c5227657f 100644 --- a/.github/workflows/update-certs.yml +++ b/.github/workflows/update-certs.yml @@ -25,6 +25,11 @@ jobs: pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v.24.0