chore: cleanup/hardening for ci

sgammon · Aug 14, 2023 · 8471d14 · 8471d14
1 parent 515e316
commit 8471d14
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 3 deletions.
diff --git a/.github/workflows/check.buildifier.yml b/.github/workflows/check.buildifier.yml
@@ -16,6 +16,10 @@ jobs:
  runs-on: ubuntu-latest
  continue-on-error: true
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
  - uses: actions/checkout@v3
  - name: buildifier
  continue-on-error: true

diff --git a/.github/workflows/deploy.docs.yml b/.github/workflows/deploy.docs.yml
@@ -27,6 +27,10 @@ jobs:
  name: "Build: Docs"
  runs-on: ubuntu-latest
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
  - name: "Setup: Checkout"
  uses: actions/checkout@v3
  - name: "Setup: Pages"
@@ -47,6 +51,10 @@ jobs:
  runs-on: ubuntu-latest
  needs: build
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
  - name: "Deploy: GitHub Pages"
  id: deployment
  uses: actions/deploy-pages@v2
diff --git a/.github/workflows/module.build.yml b/.github/workflows/module.build.yml
@@ -49,7 +49,6 @@ jobs:
  uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
  with:
  egress-policy: audit
-
  - name: "Setup: Checkout"
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Setup: msbuild"

diff --git a/.github/workflows/module.test.yml b/.github/workflows/module.test.yml
@@ -59,7 +59,6 @@ jobs:
  uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
  with:
  egress-policy: audit
-
  - name: "Setup: Checkout"
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Setup: msbuild"
@@ -103,6 +102,10 @@ jobs:
  directory: ["./example/integration_tests/bzlmod"]
  labs: [false]
  steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+ with:
+ egress-policy: audit
  - name: "Setup: Checkout"
  uses: actions/checkout@v3
  - name: "Setup: msbuild"

diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -15,7 +15,6 @@ jobs:
  uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
  with:
  egress-policy: audit
-
  - name: "Checkout Repository"
  uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
  - name: "Dependency Review"