[StepSecurity] ci: Harden GitHub Actions (#833)

step-security-bot · web-flow · commit f6120f5f2aa3 · 2025-02-17T17:50:37.000+01:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/lf-build-linux-aarch64.yml b/.github/workflows/lf-build-linux-aarch64.yml
@@ -33,6 +33,11 @@ jobs:
     steps:
       # Transform the space‐separated string into a valid JSON array using shell commands (with sed),
       # then pass that result as an output to be used in the matrix of a subsequent job.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - id: set-matrix
         run: |
           # Grab the space-separated input value
@@ -141,8 +146,13 @@ jobs:
       - 'ubuntu-24.04-arm'
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: 'Download all artifacts'
-        uses: 'actions/download-artifact@v4'
+        uses: 'actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8'
         with:
           path: '/tmp/artifacts'
 
diff --git a/.github/workflows/lf-build-linux-x86_64.yml b/.github/workflows/lf-build-linux-x86_64.yml
@@ -33,6 +33,11 @@ jobs:
     steps:
       # Transform the space‐separated string into a valid JSON array using shell commands (with sed),
       # then pass that result as an output to be used in the matrix of a subsequent job.
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - id: set-matrix
         run: |
           # Grab the space-separated input value
@@ -141,8 +146,13 @@ jobs:
       - 'ubuntu-24.04'
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: 'Download all artifacts'
-        uses: 'actions/download-artifact@v4'
+        uses: 'actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8'
         with:
           path: '/tmp/artifacts'
 
diff --git a/.github/workflows/lf-build-windows-x86_64.yml b/.github/workflows/lf-build-windows-x86_64.yml
@@ -105,7 +105,7 @@ jobs:
           name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-compiled.${{ env.LFMP_ARCH }}"
 
       - name: 'Sign the compiled plugins'
-        uses: 'signpath/github-action-submit-signing-request@v1.1'
+        uses: 'signpath/github-action-submit-signing-request@3c306158facd969ebdb385c6845dee38afc2ebf9 # v1.1'
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '35067665-5434-42c5-9fa2-4c750069f161'
@@ -154,7 +154,7 @@ jobs:
           name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-packaged.${{ env.LFMP_ARCH }}"
 
       - name: 'Sign the package'
-        uses: 'signpath/github-action-submit-signing-request@v1.1'
+        uses: 'signpath/github-action-submit-signing-request@3c306158facd969ebdb385c6845dee38afc2ebf9 # v1.1'
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '35067665-5434-42c5-9fa2-4c750069f161'
