From 5f09dd3566a7012e595e05faea363db0bf936ec3 Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler1968@gmail.com>
Date: Wed, 26 Jun 2024 12:16:39 -0700
Subject: [PATCH] Use step-security/harden-runner in github workflows (#486)

Turning on harden-runner in "audit" mode is the first step in hardening github workflow jobs.
The second step will be to enable "block" mode, which can be seen as the results of the first run:
https://app.stepsecurity.io/github/orcasound/orcasite/actions/runs/9293630393?jobid=25577205636&tab=recommendations

For more details see https://github.com/step-security/harden-runner

Signed-off-by: Dave Thaler <dthaler1968@gmail.com>
---
 .github/workflows/ci.yaml           | 4 ++++
 .github/workflows/fast-forward.yaml | 4 ++++
 .github/workflows/heroku.yaml       | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 36a9e91c..6ff518bf 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,6 +10,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/fast-forward.yaml b/.github/workflows/fast-forward.yaml
index 74431437..98817299 100644
--- a/.github/workflows/fast-forward.yaml
+++ b/.github/workflows/fast-forward.yaml
@@ -17,6 +17,10 @@ jobs:
       issues: write
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Fast forwarding
         uses: sequoia-pgp/fast-forward@v1
         with:
diff --git a/.github/workflows/heroku.yaml b/.github/workflows/heroku.yaml
index 54a8b5df..2c404c51 100644
--- a/.github/workflows/heroku.yaml
+++ b/.github/workflows/heroku.yaml
@@ -17,6 +17,10 @@ jobs:
       || (contains(github.event.comment.body, '/refresh-heroku-status') && github.event.issue.pull_request) }}
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       # Forward deployment's status to the deployed commit.
       - uses: octokit/request-action@v2.x
         env:
@@ -41,6 +45,10 @@ jobs:
 
     # Check that the deployed app returns successful HTTP response.
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - id: health_check
         uses: jtalk/url-health-check-action@v4
         with: