Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8e254cb

Browse files
matifalimatifali
authored
chore: integrate step-security/harden-runner in workflows (#15099)
Redoing #15097 Part of #14879
1 parent ccbb687 commit 8e254cb

14 files changed

+229
-1
lines changed

.github/workflows/ci.yaml

+90
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,11 @@ jobs:
4242
offlinedocs: ${{ steps.filter.outputs.offlinedocs }}
4343
tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }}
4444
steps:
45+
- name: Harden Runner
46+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
47+
with:
48+
egress-policy: audit
49+
4550
- name: Checkout
4651
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4752
with:
@@ -157,6 +162,11 @@ jobs:
157162
if: needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
158163
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
159164
steps:
165+
- name: Harden Runner
166+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
167+
with:
168+
egress-policy: audit
169+
160170
- name: Checkout
161171
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
162172
with:
@@ -219,6 +229,11 @@ jobs:
219229
needs: changes
220230
if: needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
221231
steps:
232+
- name: Harden Runner
233+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
234+
with:
235+
egress-policy: audit
236+
222237
- name: Checkout
223238
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
224239
with:
@@ -268,6 +283,11 @@ jobs:
268283
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
269284
timeout-minutes: 7
270285
steps:
286+
- name: Harden Runner
287+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
288+
with:
289+
egress-policy: audit
290+
271291
- name: Checkout
272292
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
273293
with:
@@ -304,6 +324,11 @@ jobs:
304324
- macos-latest
305325
- windows-2022
306326
steps:
327+
- name: Harden Runner
328+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
329+
with:
330+
egress-policy: audit
331+
307332
- name: Checkout
308333
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
309334
with:
@@ -358,6 +383,11 @@ jobs:
358383
# even if some of the preceding steps are slow.
359384
timeout-minutes: 25
360385
steps:
386+
- name: Harden Runner
387+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
388+
with:
389+
egress-policy: audit
390+
361391
- name: Checkout
362392
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
363393
with:
@@ -398,6 +428,11 @@ jobs:
398428
# even if some of the preceding steps are slow.
399429
timeout-minutes: 25
400430
steps:
431+
- name: Harden Runner
432+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
433+
with:
434+
egress-policy: audit
435+
401436
- name: Checkout
402437
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
403438
with:
@@ -430,6 +465,11 @@ jobs:
430465
if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
431466
timeout-minutes: 25
432467
steps:
468+
- name: Harden Runner
469+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
470+
with:
471+
egress-policy: audit
472+
433473
- name: Checkout
434474
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
435475
with:
@@ -466,6 +506,11 @@ jobs:
466506
if: needs.changes.outputs.tailnet-integration == 'true' || needs.changes.outputs.ci == 'true'
467507
timeout-minutes: 20
468508
steps:
509+
- name: Harden Runner
510+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
511+
with:
512+
egress-policy: audit
513+
469514
- name: Checkout
470515
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
471516
with:
@@ -487,6 +532,11 @@ jobs:
487532
if: needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
488533
timeout-minutes: 20
489534
steps:
535+
- name: Harden Runner
536+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
537+
with:
538+
egress-policy: audit
539+
490540
- name: Checkout
491541
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
492542
with:
@@ -514,6 +564,11 @@ jobs:
514564
name: test-e2e-enterprise
515565
name: ${{ matrix.variant.name }}
516566
steps:
567+
- name: Harden Runner
568+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
569+
with:
570+
egress-policy: audit
571+
517572
- name: Checkout
518573
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
519574
with:
@@ -576,6 +631,11 @@ jobs:
576631
needs: changes
577632
if: needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true'
578633
steps:
634+
- name: Harden Runner
635+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
636+
with:
637+
egress-policy: audit
638+
579639
- name: Checkout
580640
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
581641
with:
@@ -648,6 +708,11 @@ jobs:
648708
if: needs.changes.outputs.offlinedocs == 'true' || needs.changes.outputs.ci == 'true' || needs.changes.outputs.docs == 'true'
649709

650710
steps:
711+
- name: Harden Runner
712+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
713+
with:
714+
egress-policy: audit
715+
651716
- name: Checkout
652717
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
653718
with:
@@ -716,6 +781,11 @@ jobs:
716781
# cancelled.
717782
if: always()
718783
steps:
784+
- name: Harden Runner
785+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
786+
with:
787+
egress-policy: audit
788+
719789
- name: Ensure required checks
720790
run: |
721791
echo "Checking required checks"
@@ -749,6 +819,11 @@ jobs:
749819
outputs:
750820
IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
751821
steps:
822+
- name: Harden Runner
823+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
824+
with:
825+
egress-policy: audit
826+
752827
- name: Checkout
753828
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
754829
with:
@@ -868,6 +943,11 @@ jobs:
868943
contents: read
869944
id-token: write
870945
steps:
946+
- name: Harden Runner
947+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
948+
with:
949+
egress-policy: audit
950+
871951
- name: Checkout
872952
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
873953
with:
@@ -925,6 +1005,11 @@ jobs:
9251005
needs: build
9261006
if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
9271007
steps:
1008+
- name: Harden Runner
1009+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
1010+
with:
1011+
egress-policy: audit
1012+
9281013
- name: Checkout
9291014
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
9301015
with:
@@ -955,6 +1040,11 @@ jobs:
9551040
needs: changes
9561041
if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
9571042
steps:
1043+
- name: Harden Runner
1044+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
1045+
with:
1046+
egress-policy: audit
1047+
9581048
- name: Checkout
9591049
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
9601050
with:

.github/workflows/contrib.yaml

+15
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,23 @@ jobs:
2727
permissions:
2828
pull-requests: write
2929
steps:
30+
- name: Harden Runner
31+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
32+
with:
33+
egress-policy: audit
34+
3035
- name: auto-approve dependabot
3136
uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
3237
if: github.actor == 'dependabot[bot]'
3338

3439
cla:
3540
runs-on: ubuntu-latest
3641
steps:
42+
- name: Harden Runner
43+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
44+
with:
45+
egress-policy: audit
46+
3747
- name: cla
3848
if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
3949
uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
@@ -56,6 +66,11 @@ jobs:
5666
# Skip tagging for draft PRs.
5767
if: ${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
5868
steps:
69+
- name: Harden Runner
70+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
71+
with:
72+
egress-policy: audit
73+
5974
- name: release-labels
6075
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
6176
with:

.github/workflows/docker-base.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,11 @@ jobs:
3636
runs-on: ubuntu-latest
3737
if: github.repository_owner == 'coder'
3838
steps:
39+
- name: Harden Runner
40+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
41+
with:
42+
egress-policy: audit
43+
3944
- name: Checkout
4045
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4146

.github/workflows/dogfood.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,11 @@ jobs:
2626
if: github.actor != 'dependabot[bot]' # Skip Dependabot PRs
2727
runs-on: ubuntu-latest
2828
steps:
29+
- name: Harden Runner
30+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
31+
with:
32+
egress-policy: audit
33+
2934
- name: Checkout
3035
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
3136

@@ -83,6 +88,11 @@ jobs:
8388
needs: build_image
8489
runs-on: ubuntu-latest
8590
steps:
91+
- name: Harden Runner
92+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
93+
with:
94+
egress-policy: audit
95+
8696
- name: Checkout
8797
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
8898

.github/workflows/nightly-gauntlet.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,11 @@ jobs:
1616
# so 0.016 * 240 = 3.84 USD per run.
1717
timeout-minutes: 240
1818
steps:
19+
- name: Harden Runner
20+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
21+
with:
22+
egress-policy: audit
23+
1924
- name: Checkout
2025
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
2126

@@ -43,6 +48,11 @@ jobs:
4348
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04' || 'ubuntu-latest' }}
4449
timeout-minutes: 10
4550
steps:
51+
- name: Harden Runner
52+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
53+
with:
54+
egress-policy: audit
55+
4656
- name: Checkout
4757
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4858

.github/workflows/pr-auto-assign.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,10 @@ jobs:
1313
assign-author:
1414
runs-on: ubuntu-latest
1515
steps:
16+
- name: Harden Runner
17+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
18+
with:
19+
egress-policy: audit
20+
1621
- name: Assign author
1722
uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1

.github/workflows/pr-cleanup.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ jobs:
1515
cleanup:
1616
runs-on: "ubuntu-latest"
1717
steps:
18+
- name: Harden Runner
19+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
20+
with:
21+
egress-policy: audit
22+
1823
- name: Get PR number
1924
id: pr_number
2025
run: |

.github/workflows/pr-deploy.yaml

+25
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,21 @@ jobs:
3939
outputs:
4040
PR_OPEN: ${{ steps.check_pr.outputs.pr_open }}
4141
steps:
42+
- name: Harden Runner
43+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
44+
with:
45+
egress-policy: audit
46+
47+
- name: Harden Runner
48+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
49+
with:
50+
egress-policy: audit
51+
52+
- name: Harden Runner
53+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
54+
with:
55+
egress-policy: audit
56+
4257
- name: Checkout
4358
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
4459

@@ -69,6 +84,11 @@ jobs:
6984

7085
runs-on: "ubuntu-latest"
7186
steps:
87+
- name: Harden Runner
88+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
89+
with:
90+
egress-policy: audit
91+
7292
- name: Checkout
7393
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
7494
with:
@@ -162,6 +182,11 @@ jobs:
162182
if: needs.get_info.outputs.BUILD == 'true' || github.event.inputs.deploy == 'true'
163183
runs-on: "ubuntu-latest"
164184
steps:
185+
- name: Harden Runner
186+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
187+
with:
188+
egress-policy: audit
189+
165190
- name: Find Comment
166191
uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
167192
id: fc

.github/workflows/release-validation.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,11 @@ jobs:
1010
runs-on: ubuntu-latest
1111

1212
steps:
13+
- name: Harden Runner
14+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
15+
with:
16+
egress-policy: audit
17+
1318
- name: Run Schmoder CI
1419
uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4
1520
with:

0 commit comments

Comments
 (0)