Skip to content

Commit cdd8e86

Browse files
stepsecurity-app[bot]stepsecurity-app[bot]
authored
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <[email protected]>
1 parent b131ca5 commit cdd8e86

File tree

6 files changed

+15
-15
lines changed

6 files changed

+15
-15
lines changed

.github/workflows/canary.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,13 +37,13 @@ jobs:
3737
rc: true
3838

3939
- name: Canary test
40-
uses: docker://ghcr.io/step-security/integration-test/int:latest
40+
uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
4141
env:
4242
PAT: ${{ secrets.PAT }}
4343
canary: true
4444

4545
- name: Canary TLS test
46-
uses: docker://ghcr.io/step-security/integration-test/int:latest
46+
uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
4747
env:
4848
PAT: ${{ secrets.PAT }}
4949
canary-tls: true

.github/workflows/code-review.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,4 +20,4 @@ jobs:
2020
int.api.stepsecurity.io:443
2121
2222
- name: Code Review
23-
uses: step-security/ai-codewise@int
23+
uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int

.github/workflows/publish-immutable-actions.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
egress-policy: audit
2323

2424
- name: Checking out
25-
uses: actions/checkout@v4
25+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
2626
- name: Publish
2727
id: publish
2828
uses: actions/[email protected]

.github/workflows/recurring-int-tests.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
1919

2020
- name: Canary test
21-
uses: docker://ghcr.io/step-security/integration-test/int:latest
21+
uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
2222
env:
2323
PAT: ${{ secrets.PAT }}
2424
canary: true
@@ -33,7 +33,7 @@ jobs:
3333
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
3434

3535
- name: Canary test
36-
uses: docker://ghcr.io/step-security/integration-test/int:latest
36+
uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
3737
env:
3838
PAT: ${{ secrets.PAT }}
3939
canary-tls: true

.github/workflows/release.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ jobs:
4040
rc: true
4141

4242
- name: Canary test
43-
uses: docker://ghcr.io/step-security/integration-test/int:latest
43+
uses: docker://ghcr.io/step-security/integration-test/int:latest@sha256:76fa60ea6375f276d2b6bc097a5cff08ae2e9db8eb53bea7a9b4627f13b77106
4444
env:
4545
PAT: ${{ secrets.PAT }}
4646
canary: true

.github/workflows/runs-on.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
- image=ubuntu24-stepsecurity-x64
1515
steps:
1616
- name: Harden Runner
17-
uses: step-security/harden-runner@rc
17+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
1818
with:
1919
egress-policy: audit
2020
allowed-endpoints: >
@@ -23,7 +23,7 @@ jobs:
2323
2424
2525
- name: Checkout code
26-
uses: actions/checkout@v3
26+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
2727

2828
- name: Run outbound calls from host
2929
run: |
@@ -43,7 +43,7 @@ jobs:
4343
- image=ubuntu24-stepsecurity-x64
4444
steps:
4545
- name: Harden Runner
46-
uses: step-security/harden-runner@rc
46+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
4747
with:
4848
egress-policy: block
4949
allowed-endpoints: >
@@ -56,7 +56,7 @@ jobs:
5656
security.ubuntu.com:80
5757
5858
- name: Checkout code
59-
uses: actions/checkout@v3
59+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
6060

6161
- name: Run outbound calls from within Docker container
6262
continue-on-error: true
@@ -89,7 +89,7 @@ jobs:
8989
- image=ubuntu24-stepsecurity-x64
9090
steps:
9191
- name: Harden Runner
92-
uses: step-security/harden-runner@rc
92+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
9393
with:
9494
egress-policy: audit
9595
allowed-endpoints: >
@@ -103,7 +103,7 @@ jobs:
103103
security.ubuntu.com:80
104104
105105
- name: Checkout code
106-
uses: actions/checkout@v3
106+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
107107

108108
- name: Build Docker image and test outbound calls during build
109109
continue-on-error: true
@@ -137,7 +137,7 @@ jobs:
137137
- image=ubuntu24-stepsecurity-x64
138138
steps:
139139
- name: Harden Runner
140-
uses: step-security/harden-runner@rc
140+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # rc
141141
with:
142142
egress-policy: block
143143
allowed-endpoints: >
@@ -152,7 +152,7 @@ jobs:
152152
153153
154154
- name: Checkout code
155-
uses: actions/checkout@v3
155+
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
156156

157157
- name: Run long-running Docker container with outbound calls
158158
continue-on-error: true

0 commit comments

Comments
 (0)