@@ -120,14 +120,19 @@ jobs:
120120
121121 runs-on : ubuntu-latest
122122 steps :
123+ - name : Harden the runner (Audit all outbound calls)
124+ uses : step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
125+ with :
126+ egress-policy : audit
127+
123128 - name : git-checkout-ref-action
124129 id : ref
125130 uses : ORCID/git-checkout-ref-action@main
126131 with :
127132 default_branch : ${{ github.event.repository.default_branch }}
128133 ref : ${{ inputs.ref }}
129134
130- - uses : actions/checkout@v4
135+ - uses : actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
131136 with :
132137 ref : ${{ steps.ref.outputs.ref }}
133138 # checkout some history so we can scan commits for bump messages
@@ -141,10 +146,10 @@ jobs:
141146 version_tag : ${{ inputs.version_tag }}
142147 bump : ${{ inputs.bump }}
143148
144- - uses : docker/setup-buildx-action@v3
149+ - uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
145150
146151 - name : Login to private registry
147- uses : docker/login-action@v3
152+ uses : docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
148153 with :
149154 registry : ${{ secrets.DOCKER_REG_PRIVATE }}
150155 username : ${{ secrets.DOCKER_USER }}
@@ -160,7 +165,7 @@ jobs:
160165 run : |
161166 echo ${{ steps.dynamic_defaults.outputs.default_file }}
162167
163- - uses : docker/build-push-action@v6
168+ - uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
164169 with :
165170 push : ${{ inputs.push }}
166171 tags : ${{ secrets.DOCKER_REG_PRIVATE }}/${{ matrix.docker_name}}:${{ steps.version.outputs.version_tag_numeric }}
0 commit comments