Skip to content

Commit 69f5a06

Browse files
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
1 parent 1a74b6d commit 69f5a06

File tree

1 file changed

+11
-3
lines changed

1 file changed

+11
-3
lines changed

.github/workflows/ghaudit.yaml

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66

77
name: GitHub Audit
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
ghaudit:
1114
runs-on: ubuntu-latest
@@ -14,30 +17,35 @@ jobs:
1417
id-token: write # To federate with Octo STS
1518

1619
steps:
20+
- name: Harden the runner (Audit all outbound calls)
21+
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
22+
with:
23+
egress-policy: audit
24+
1725
- uses: octo-sts/action@6177b4481c00308b3839969c3eca88c96a91775f # v1.0.0
1826
id: octo-sts
1927
with:
2028
scope: ${{ github.repository_owner }}
2129
identity: ghaudit
2230

2331
- name: Deploy Keys
24-
uses: wolfi-dev/wolfi-act@main
32+
uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
2533
env:
2634
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
2735
with:
2836
packages: ghaudit
2937
command: ghaudit org -o ${{ github.repository_owner }} deploy-keys
3038

3139
- name: Branch Protections
32-
uses: wolfi-dev/wolfi-act@main
40+
uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
3341
env:
3442
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
3543
with:
3644
packages: ghaudit
3745
command: ghaudit org -o ${{ github.repository_owner }} branch-protections
3846

3947
- name: Default Permissions
40-
uses: wolfi-dev/wolfi-act@main
48+
uses: wolfi-dev/wolfi-act@d78f3659c50c4520e222df428f4903a1c4b0c6ee # main
4149
env:
4250
GH_TOKEN: ${{ steps.octo-sts.outputs.token }}
4351
with:

0 commit comments

Comments
 (0)