diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5d74c8d..f4c8ec5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '41 16 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -54,6 +57,11 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2edc85a..c3213a7 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: test: name: Test @@ -14,6 +17,11 @@ jobs: go: ['oldstable', 'stable'] runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Set up Golang uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 6771836..2f0831c 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -2,6 +2,9 @@ name: Release on: push: branches: [main] +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest @@ -14,6 +17,11 @@ jobs: # the `vX.Y.Z` git tag. For a Go module that tag *is* the published # artifact (consumed directly by `go get`), so there is no separate # publish step like the npm packages in monetr/notify and monetr/vaul. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5 id: release with: