Harden workflow runners

.github/workflows/codeql-analysis.yml

@@ -19,19 +19,23 @@ jobs:
     permissions:
       security-events: write
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-    - name: Install dependencies
-      run: brew install popt
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
-      with:
-        languages: cpp
-        queries: security-and-quality
-        source-root: src
-    - name: Build sources
-      run: |
-        cmake -S . -B build
-        cmake --build build
-    - name: Perform CodeQL analysis
-      uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install dependencies
+        run: brew install popt
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          languages: cpp
+          queries: security-and-quality
+          source-root: src
+      - name: Build sources
+        run: |
+          cmake -S . -B build
+          cmake --build build
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9

.github/workflows/dependency-review.yml

@@ -12,6 +12,10 @@ jobs:
     permissions:
       pull-requests: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Dependency review

.github/workflows/markdown-links.yml

@@ -19,18 +19,22 @@ jobs:
   markdown-links:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-    - name: Check links in modified Markdown files
-      if: github.event_name == 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
-      with:
-        base-branch: main
-        check-modified-files-only: yes
-        use-verbose-mode: yes
-        config-file: .github/markdown/markdown-links.json
-    - name: Check links in all Markdown files
-      if: github.event_name != 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
-      with:
-        use-verbose-mode: yes
-        config-file: .github/markdown/markdown-links.json
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Check links in modified Markdown files
+        if: github.event_name == 'pull_request'
+        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
+        with:
+          base-branch: main
+          check-modified-files-only: yes
+          use-verbose-mode: yes
+          config-file: .github/markdown/markdown-links.json
+      - name: Check links in all Markdown files
+        if: github.event_name != 'pull_request'
+        uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
+        with:
+          use-verbose-mode: yes
+          config-file: .github/markdown/markdown-links.json

.github/workflows/openssf-scorecard.yml

@@ -16,6 +16,10 @@ jobs:
       security-events: write # Needed to upload the results to code scanning dashboard
       id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:

.github/workflows/release.yml

@@ -20,61 +20,65 @@ jobs:
       sha256-filename-darwin-arm64: ${{ steps.checksum.outputs.sha256-filename-darwin-arm64 }}
       sha256-filename-darwin-x86_64: ${{ steps.checksum.outputs.sha256-filename-darwin-x86_64 }}
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
-    - name: Install runtime dependencies
-      run: brew install popt
-    - name: Install test dependencies
-      run: brew install cmocka
-    - name: Install build tools
-      run: brew install just pandoc
-    - id: arch
-      name: Get machine hardware name
-      run: |
-        set -euo pipefail
-        arch=$(uname -m)
-        if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
-            echo "Unexpected machine hardware name: ${arch}"
-            exit 1
-        fi
-        echo "name=${arch}" >> "${GITHUB_OUTPUT}"
-    - id: artifact
-      name: Generate build artifact
-      env:
-        ARCHITECTURE: ${{ steps.arch.outputs.name }}
-      run: |
-        set -euo pipefail
-        just package "${GITHUB_REF_NAME}"
-        artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz"
-        if [[ ! -f "${artifact}" ]]; then
-            echo "Failed to generated expected build artifact: ${artifact}"
-        fi
-        echo "name=${artifact}" >> "${GITHUB_OUTPUT}"
-        echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}"
-    - id: checksum
-      name: Generate build artifact SHA-256 checksum file
-      env:
-        ARCHITECTURE: ${{ steps.arch.outputs.name }}
-        ARTIFACT_NAME: ${{ steps.artifact.outputs.name }}
-      run: |
-        set -euo pipefail
-        shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256"
-        echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}"
-        echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}"
-    - name: Upload build artifact
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-      with:
-        name: ${{ steps.artifact.outputs.name }}
-        path: ${{ steps.artifact.outputs.name }}
-        if-no-files-found: error
-        retention-days: 7
-    - name: Upload SHA-256 checksum file
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
-      with:
-        name: ${{ steps.artifact.outputs.name }}.sha256
-        path: ${{ steps.artifact.outputs.name }}.sha256
-        if-no-files-found: error
-        retention-days: 7
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install runtime dependencies
+        run: brew install popt
+      - name: Install test dependencies
+        run: brew install cmocka
+      - name: Install build tools
+        run: brew install just pandoc
+      - id: arch
+        name: Get machine hardware name
+        run: |
+          set -euo pipefail
+          arch=$(uname -m)
+          if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
+              echo "Unexpected machine hardware name: ${arch}"
+              exit 1
+          fi
+          echo "name=${arch}" >> "${GITHUB_OUTPUT}"
+      - id: artifact
+        name: Generate build artifact
+        env:
+          ARCHITECTURE: ${{ steps.arch.outputs.name }}
+        run: |
+          set -euo pipefail
+          just package "${GITHUB_REF_NAME}"
+          artifact="flog-${GITHUB_REF_NAME}-darwin-${ARCHITECTURE}.tar.xz"
+          if [[ ! -f "${artifact}" ]]; then
+              echo "Failed to generated expected build artifact: ${artifact}"
+          fi
+          echo "name=${artifact}" >> "${GITHUB_OUTPUT}"
+          echo "artifact-filename-darwin-${{ steps.arch.outputs.name }}=${artifact}" >> "${GITHUB_OUTPUT}"
+      - id: checksum
+        name: Generate build artifact SHA-256 checksum file
+        env:
+          ARCHITECTURE: ${{ steps.arch.outputs.name }}
+          ARTIFACT_NAME: ${{ steps.artifact.outputs.name }}
+        run: |
+          set -euo pipefail
+          shasum -a 256 "${ARTIFACT_NAME}" > "${ARTIFACT_NAME}.sha256"
+          echo "sha256-checksum-darwin-${ARCHITECTURE}=$(cat "${ARTIFACT_NAME}.sha256" | base64)" >> "${GITHUB_OUTPUT}"
+          echo "sha256-filename-darwin-${ARCHITECTURE}=${ARTIFACT_NAME}.sha256" >> "${GITHUB_OUTPUT}"
+      - name: Upload build artifact
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: ${{ steps.artifact.outputs.name }}
+          path: ${{ steps.artifact.outputs.name }}
+          if-no-files-found: error
+          retention-days: 7
+      - name: Upload SHA-256 checksum file
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: ${{ steps.artifact.outputs.name }}.sha256
+          path: ${{ steps.artifact.outputs.name }}.sha256
+          if-no-files-found: error
+          retention-days: 7
   combine-checksums:
     needs: [build]
     runs-on: ubuntu-latest
@@ -83,7 +87,12 @@ jobs:
     env:
       CHECKSUMS: ${{ toJSON(needs.build.outputs) }}
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - id: checksums
+        name: Combine SHA-256 checksums
         run: |
           set -euo pipefail
           echo "${CHECKSUMS}" | jq -r 'with_entries(select(.key | match("sha256-checksum-.*-.*")))[] | @base64d' | sed "/^$/d" > checksums.txt
@@ -106,6 +115,10 @@ jobs:
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - name: Download x86_64 build artifact
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with: