[StepSecurity] ci: Harden GitHub Actions

.github/workflows/check-release-candidate-version.yml

@@ -10,6 +10,9 @@ on:
 #permissions:
 #  contents: read
 
+permissions:
+  contents: read
+
 jobs:
   check-version:
     name: 'Check release candidate version'
@@ -19,8 +22,13 @@ jobs:
     outputs:
       next_version: ${{ steps.next-version.outputs.next_version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 2
       - name: Get new version

.github/workflows/check-version.yml

@@ -10,6 +10,9 @@ on:
 #permissions:
 #  contents: read
 
+permissions:
+  contents: read
+
 jobs:
   check-version:
     name: 'Check version'
@@ -24,8 +27,13 @@ jobs:
 #        with:
 #          egress-policy: audit
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 #        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 2

.github/workflows/check_frontend.yml

@@ -14,6 +14,11 @@ jobs:
 #        with:
 #          egress-policy: audit
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 

.github/workflows/release-go.yml

@@ -11,10 +11,15 @@ on:
 #permissions:
 #  contents: read
 
+permissions:
+  contents: read
+
 jobs:
   release-go:
 #    permissions:
 #      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     name: Release go
     runs-on: ubuntu-latest
     if: ${{ inputs.next-version != '' }}
@@ -24,14 +29,19 @@ jobs:
 #        with:
 #          egress-policy: audit
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        with:
+          egress-policy: audit
+
       - name: Checkout code
 #        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
 
       - name: Download report_template.html
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
 #        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: report-template
@@ -43,7 +53,7 @@ jobs:
 
       - name: Set up Go
 #        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version-file: go.mod
 
@@ -61,7 +71,7 @@ jobs:
 
       - name: GoReleaser
 #        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
         with:
           version: latest
           # this doesn't work

.github/workflows/release.yml

@@ -67,7 +67,7 @@ jobs:
       - name: Upload report_template.html
 #        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
 #        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
         with:
           name: report-template
           path: ${{ env.reportTemplate }}