[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
GitTools · step-security-bot · Sep 25, 2024 · Sep 25, 2024 · 5425dc810f10a2ba3229debc407cf4986b9f4b6c
commit 5425dc810f10a2ba3229debc407cf4986b9f4b6c
diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml
@@ -31,6 +31,11 @@ jobs:
         targetFramework: [ '6.0', '8.0' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml
@@ -15,6 +15,11 @@ jobs:
         package: [ Executable, MsBuildFull ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -15,6 +15,11 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml
@@ -31,31 +31,36 @@ jobs:
         targetFramework: [ '6.0', '8.0' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: 0
     -
       name: Restore State
       uses: ./.github/actions/artifacts-restore
     -
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       name: Download nuget packages
       with:
         name: nuget
         path: ${{ github.workspace }}/artifacts/packages/nuget
     -
       name: Set up Docker
-      uses: crazy-max/ghaction-setup-docker@v3
+      uses: crazy-max/ghaction-setup-docker@78318f8be53384b971671f27d81f5e72526c102d # v3.3.0
       with:
         daemon-config: '{ "features": { "containerd-snapshotter": true } }'        
     -
       name: Setup QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
     -
       name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
       with:
         version: 'latest'
         driver-opts: 'image=moby/buildkit:buildx-stable-1'

diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml
@@ -24,6 +24,11 @@ jobs:
         targetFramework: [ '6.0', '8.0' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_prepare.yml b/.github/workflows/_prepare.yml
@@ -11,6 +11,11 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
@@ -19,6 +19,11 @@ jobs:
       NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
       CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml
@@ -18,6 +18,11 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -111,6 +111,11 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -47,6 +47,11 @@ jobs:
         language: [ 'csharp' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -40,6 +40,11 @@ jobs:
         os: [windows-latest, ubuntu-latest]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit

     -
       name: Checkout
       uses: actions/checkout@v4
@@ -93,6 +98,11 @@ jobs:
     needs: [ prepare ]
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4
@@ -132,6 +142,11 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
       GITHUB_USERNAME: ${{ github.actor }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     -
       name: Checkout
       uses: actions/checkout@v4

diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -37,6 +37,11 @@ jobs:
     runs-on: ubuntu-latest
     name: DotNet Format
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       -
         name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
@@ -19,6 +19,11 @@ jobs:
     name: Bump Homebrew formula
     runs-on: macos-latest
        steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Get version
         id: get-version
         shell: pwsh

diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -17,6 +17,11 @@ jobs:
     name: Update Markdown (embedded snippets)
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       -
         name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,6 +8,11 @@ jobs:
     name: Trigger ci flow
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       -  
         name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -13,6 +13,11 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/stale@v9
         with:
           operations-per-run: 100

diff --git a/.github/workflows/winget.yml b/.github/workflows/winget.yml
@@ -19,6 +19,11 @@ jobs:
     name: Bump winget manifest
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Get version
       id: get-version
       shell: pwsh