Skip to content

Commit c88d212

Browse files
Merge pull request #7 from chainguard-dev/chore/GHA-140720-stepsecurity-remediation
[StepSecurity] Apply security best practices
2 parents b3707e4 + 580a82c commit c88d212

2 files changed

Lines changed: 14 additions & 0 deletions

File tree

.github/workflows/release.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ env:
1414
JAVA_RUNTIME_IMAGE: "registry.access.redhat.com/ubi9/openjdk-17-runtime"
1515
VERTX_IMAGE_NAME: "cgr-demo-vertx-redis-client:latest"
1616

17+
permissions: {}
18+
1719
jobs:
1820
build:
1921
runs-on: ubuntu-latest
@@ -23,6 +25,11 @@ jobs:
2325
id-token: write
2426
steps:
2527

28+
- name: Harden the runner (Audit all outbound calls)
29+
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
30+
with:
31+
egress-policy: audit
32+
2633
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2734
with:
2835
fetch-depth: 1

.github/workflows/updates.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ on:
1414
env:
1515
REDIS_IMAGE: "cgr.dev/cgr-demo.com/redis-server-bitnami"
1616

17+
permissions: {}
18+
1719
jobs:
1820
check-for-fixes:
1921
runs-on: ubuntu-latest
@@ -22,6 +24,11 @@ jobs:
2224
packages: write
2325
id-token: write
2426
steps:
27+
- name: Harden the runner (Audit all outbound calls)
28+
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
29+
with:
30+
egress-policy: audit
31+
2532
- name: Checkout repository
2633
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2734
with:

0 commit comments

Comments
 (0)