Merge pull request #2 from xbow-engineering/chore/GHA-061155-stepsecurity-remediation

ewanmellor · web-flow · commit 6caa8b0fbda8 · 2026-01-08T09:46:20.000-08:00
CI/CD Security Improvements with Step Security
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -4,12 +4,20 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
       -
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       -
         name: Install shfmt
         run: sudo snap install shfmt
@@ -18,7 +26,7 @@ jobs:
         run: shfmt -d entrypoint.sh
       -
         name: Install Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
         with:
           python-version: '3.x'
           cache: 'pip'
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Dockerfile used as GitHub action
-FROM python:latest AS base
+FROM python:latest@sha256:6d58c1a9444bc2664f0fa20c43a592fcdb2698eb9a9c32257516538a2746c19a AS base
 
 RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
     echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
