[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
sgammon · Aug 14, 2023 · 0d8ec22 · 0d8ec22
1 parent efbaaeb
commit 0d8ec22
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 12 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,3 +4,8 @@ updates:
  directory: /
  schedule:
  interval: daily
+
+ - package-ecosystem: npm
+ directory: /
+ schedule:
+ interval: daily
diff --git a/.github/workflows/check.buildifier.yml b/.github/workflows/check.buildifier.yml
@@ -11,6 +11,9 @@ name: Buildifier
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
 
+permissions:
+ contents: read
+
 jobs:
  check:
  runs-on: ubuntu-latest
@@ -20,7 +23,7 @@ jobs:
  uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
  with:
  egress-policy: audit
- - uses: actions/checkout@v3
+ - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: buildifier
  continue-on-error: true
  run: bazel run --enable_bzlmod //.github/workflows:buildifier.check
diff --git a/.github/workflows/check.lint-yaml.yml b/.github/workflows/check.lint-yaml.yml
@@ -62,7 +62,7 @@ jobs:
  - name: "Setup: Checkout"
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Lint: YAML"
- uses: karancode/yamllint-github-action@master
+ uses: karancode/yamllint-github-action@0a904064817924fc6fb449a32f67f25bfacc48ae # master
  with:
  yamllint_file_or_dir: ".bcr"
  yamllint_config_filepath: "./.github/.yamllint.yml"
@@ -86,7 +86,7 @@ jobs:
  - name: "Setup: Checkout"
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Lint: YAML"
- uses: karancode/yamllint-github-action@master
+ uses: karancode/yamllint-github-action@0a904064817924fc6fb449a32f67f25bfacc48ae # master
  with:
  yamllint_file_or_dir: ".bazelci"
  yamllint_config_filepath: "./.github/.yamllint.yml"

diff --git a/.github/workflows/deploy.docs.yml b/.github/workflows/deploy.docs.yml
@@ -32,16 +32,16 @@ jobs:
  with:
  egress-policy: audit
  - name: "Setup: Checkout"
- uses: actions/checkout@v3
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Setup: Pages"
- uses: actions/configure-pages@v3
+ uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3.0.6
  - name: "Build: Jekyll"
- uses: actions/jekyll-build-pages@v1
+ uses: actions/jekyll-build-pages@058068233b22675635bdf8dfa178d6ae77f12694 # v1.0.8
  with:
  source: ./docs
  destination: ./_site
  - name: "Artifact: Upload"
- uses: actions/upload-pages-artifact@v2
+ uses: actions/upload-pages-artifact@a753861a5debcf57bf8b404356158c8e1e33150c # v2.0.0
 
  deploy:
  name: "Deploy: Docs"
@@ -57,4 +57,4 @@ jobs:
  egress-policy: audit
  - name: "Deploy: GitHub Pages"
  id: deployment
- uses: actions/deploy-pages@v2
+ uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2.0.4
diff --git a/.github/workflows/module.test.yml b/.github/workflows/module.test.yml
@@ -107,14 +107,14 @@ jobs:
  with:
  egress-policy: audit
  - name: "Setup: Checkout"
- uses: actions/checkout@v3
+ uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Setup: msbuild"
- uses: microsoft/setup-msbuild@v1.1
+ uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3
  if: ${{ contains(inputs.runner, 'windows') }}
  - name: "Setup: Bazel"
- uses: bazelbuild/setup-bazelisk@v2
+ uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0
  - name: "Setup: Cache"
- uses: actions/cache@v3
+ uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
  with:
  path: "~/.cache/bazel"
  key: bazel-v2