[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <[email protected]>
northwood-labs · Apr 8, 2024 · 2892562 · 2892562
1 parent 29d3f79
commit 2892562
Show file tree

Hide file tree

Showing 65 changed files with 528 additions and 75 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /buildboxes/alpine
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /buildboxes/ubuntu
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/_build-and-cache.yml b/.github/workflows/_build-and-cache.yml
@@ -41,20 +41,25 @@ jobs:
       options: --privileged
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Git clone
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.base_ref }}
 
       - name: Restore any cached build artifacts (musl-aarch64)
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: restore-musl-aarch64
         with:
           key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-aarch64"
           path: "/usr/bin/${{ inputs.package-name }}_musl_arm64"
 
       - name: Restore any cached build artifacts (musl-x86_64)
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: restore-musl-x86_64
         with:
           key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-x86_64"
@@ -86,7 +91,7 @@ jobs:
           goreleaser release --clean --nightly --skip=announce,publish,validate --verbose
 
       - name: Cache the packages
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: cache-packages
         with:
           key: "${{ inputs.package-name }}-${{ inputs.package-version }}"

diff --git a/.github/workflows/_build-musl.yml b/.github/workflows/_build-musl.yml
@@ -39,13 +39,18 @@ jobs:
           - arm64
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Git clone
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.base_ref }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: ${{ matrix.arch }}
 
@@ -65,7 +70,7 @@ jobs:
             cp -vf "${{ github.workspace }}/builds/usr/bin/${{ inputs.package-name }}_musl_${{ matrix.arch }}" /usr/local/bin/${{ inputs.package-name }}_musl_${{ matrix.arch }}
 
       - name: Cache the packages
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: cache-packages
         with:
           key: "build-cache-${{ inputs.package-name }}-${{ inputs.package-version }}-musl-${{ matrix.arch }}"

diff --git a/.github/workflows/build-1password-cli.yml b/.github/workflows/build-1password-cli.yml
@@ -50,6 +50,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -58,7 +63,7 @@ jobs:
           echo "package_version=$(curl -sSLf https://app-updates.agilebits.com/check/1/0/CLI2/en/2000001/N | jq -Mr '.version')" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "1password-cli-${{ steps.lookup_version.outputs.package_version }}"
@@ -81,8 +86,13 @@ jobs:
       options: --privileged
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Git clone
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ github.base_ref }}
 
@@ -112,7 +122,7 @@ jobs:
           goreleaser release --clean --nightly --skip=announce,publish,validate --verbose
 
       - name: Cache the packages
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: cache-packages
         with:
           key: "1password-cli-${{ needs.lookup.outputs.package_version }}"

diff --git a/.github/workflows/build-actionlint.yml b/.github/workflows/build-actionlint.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'rhysd/actionlint' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "actionlint-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-aws-vault.yml b/.github/workflows/build-aws-vault.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r '99designs/aws-vault' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "aws-vault-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-chamber.yml b/.github/workflows/build-chamber.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'segmentio/chamber' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "chamber-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-cloud-nuke.yml b/.github/workflows/build-cloud-nuke.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'gruntwork-io/cloud-nuke' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "cloud-nuke-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-cosign.yml b/.github/workflows/build-cosign.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'sigstore/cosign' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "cosign-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-direnv.yml b/.github/workflows/build-direnv.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'direnv/direnv' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "direnv-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-dive.yml b/.github/workflows/build-dive.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'wagoodman/dive' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "dive-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-driftwood.yml b/.github/workflows/build-driftwood.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'trufflesecurity/driftwood' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "driftwood-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-editorconfig-checker.yml b/.github/workflows/build-editorconfig-checker.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'editorconfig-checker/editorconfig-checker' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "editorconfig-checker-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-eza.yml b/.github/workflows/build-eza.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'eza-community/eza' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "eza-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-fd.yml b/.github/workflows/build-fd.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'sharkdp/fd' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "fd-${{ steps.lookup_version.outputs.package_version }}"

diff --git a/.github/workflows/build-freeze.yml b/.github/workflows/build-freeze.yml
@@ -57,6 +57,11 @@ jobs:
       package_version: ${{ steps.lookup_version.outputs.package_version }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Lookup latest version of package
         id: lookup_version
         env:
@@ -65,7 +70,7 @@ jobs:
           echo "package_version=$(download-asset latest-tag -r 'charmbracelet/freeze' -s)" >> $GITHUB_OUTPUT
 
       - name: Check to see if we've already built this version
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
         id: check
         with:
           key: "freeze-${{ steps.lookup_version.outputs.package_version }}"