From 61dd6f97b25dcd9b364d05b89a7bc462850e21ae Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Tue, 26 Mar 2024 14:54:58 -0700
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#2)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/documentation.yml | 7 ++++++-
 .github/workflows/markdownlint.yml  | 5 +++++
 .github/workflows/trivy-vuln.yml    | 2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index a1f4072..7e56a99 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -27,13 +27,18 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           ref: main
 
       - name: Render terraform docs and push changes back to PR
-        uses: terraform-docs/gh-actions@v1
+        uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0
         with:
           git-commit-message: "docs: Generate documentation in README.md"
           git-push-sign-off: "true"
diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
index 42a71a5..e808475 100644
--- a/.github/workflows/markdownlint.yml
+++ b/.github/workflows/markdownlint.yml
@@ -27,6 +27,11 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
diff --git a/.github/workflows/trivy-vuln.yml b/.github/workflows/trivy-vuln.yml
index de03444..730cdb0 100644
--- a/.github/workflows/trivy-vuln.yml
+++ b/.github/workflows/trivy-vuln.yml
@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
           scan-type: fs
           format: sarif