[StepSecurity] ci: Harden GitHub Actions (#54)

Signed-off-by: StepSecurity Bot <[email protected]> Signed-off-by: Ryan Parman <[email protected]> Co-authored-by: Ryan Parman <[email protected]>
northwood-labs · Oct 27, 2023 · 67bb85c · 67bb85c
1 parent 58c6d30
commit 67bb85c
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/.github/workflows/go-dep-submission.yml b/.github/workflows/go-dep-submission.yml
@@ -13,6 +13,11 @@ jobs:
   go-action-detection:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
@@ -25,7 +30,7 @@ jobs:
           cache: true
 
       - name: Run snapshot action
-        uses: actions/go-dependency-submission@v1
+        uses: actions/go-dependency-submission@1694cb96294964b25b39ef4e8fa7430558d9bed9 # v1.0.3
         with:
           # Required: Define the repo path to the go.mod file used by the
           # build target

diff --git a/.github/workflows/pr-dep-review.yml b/.github/workflows/pr-dep-review.yml
@@ -12,10 +12,15 @@ jobs:
     permissions:
       pull-requests: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
         with:
           config-file: ./.github/dependency-review-config.yml