Merge pull request nest#2875 from step-security-bot/stepsecurity_reme…

…diation_1691510536 Harden GitHub Actions – Harden Runner and pin Actions
terhorstd · Nov 21, 2023 · 3b762d4 · 3b762d4
2 parents 6a9c75b + acde447
commit 3b762d4
Show file tree

Hide file tree

Showing 6 changed files with 173 additions and 41 deletions.
diff --git a/.github/workflows/build_dispatch.yml b/.github/workflows/build_dispatch.yml
@@ -9,8 +9,14 @@ jobs:
     name: "Trigger downstream repos"
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
       - name: Trigger nest/nest-extension-module CI
-        uses: peter-evans/repository-dispatch@v2
+        uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588 # v2.1.1
         with:
           token: ${{ secrets.NEST_EXTENSION_MODULE_TRIGGER_TOKEN }}
           repository: 'nest/nest-extension-module'

diff --git a/.github/workflows/ebrains-push.yml b/.github/workflows/ebrains-push.yml
@@ -9,6 +9,12 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'nest' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
       - name: sycnmaster
         uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83
         with:

diff --git a/.github/workflows/hifis-push.yml b/.github/workflows/hifis-push.yml
@@ -9,6 +9,12 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'nest' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
       - name: sycnmaster
         uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83
         with:

diff --git a/.github/workflows/jsc-push.yml b/.github/workflows/jsc-push.yml
@@ -9,6 +9,12 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.repository_owner == 'nest' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
+        with:
+          egress-policy: audit
+          disable-telemetry: true
+
       - name: sycnmaster
         uses: wei/git-sync@55c6b63b4f21607da0e9877ca9b4d11a29fc6d83
         with: