[StepSecurity] Apply security best practices (#252)

stepsecurity-app[bot] · web-flow · commit d6c9f3e932df · 2025-12-15T11:08:22.000Z
This PR implements [go/ssdlc-2](https://go/ssdlc-2). Please raise issues to ProdSec's on-call rotation. Ref: https://github.com/chainguard-dev/prodsec/issues/138 ## Summary This pull request has been generated by [StepSecurity](https://app.stepsecurity.io/github/chainguard-dev/actions/dashboard) as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements. At a high level, this PR: - Adds the `harden-runner` Action if not already present - Pins Actions to a digest rather than mutable tags - Restricts GitHub token permissions to be as minimal as possible ## Security Fixes ### Harden Runner Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. - [GitHub Security Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) ### Pinned Dependencies Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure. Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates. - [GitHub Security Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo) or contact us via [our website](https://www.stepsecurity.io/). Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
diff --git a/.github/workflows/build-push.yaml b/.github/workflows/build-push.yaml
@@ -29,6 +29,11 @@ jobs:
           - tag-history
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -22,13 +22,18 @@ jobs:
           - tag-history
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: ${{ matrix.image }}/go.mod
 
       - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
-      - uses: chainguard-dev/actions/setup-registry@main
+      - uses: chainguard-dev/actions/setup-registry@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # main
 
       - working-directory: ${{ matrix.image }}
         run: |
