From 47fdda6f8f5c3fe2a0c0d344d02b64179613afe9 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 24 Jun 2026 20:51:06 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/codeql.yml | 8 ++++++++ .github/workflows/main.yaml | 8 ++++++++ .github/workflows/release-please.yml | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5d74c8d..f4c8ec5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '41 16 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -54,6 +57,11 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 2edc85a..c3213a7 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -6,6 +6,9 @@ on: pull_request: branches: [main] +permissions: + contents: read + jobs: test: name: Test @@ -14,6 +17,11 @@ jobs: go: ['oldstable', 'stable'] runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Set up Golang uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 with: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 6771836..2f0831c 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -2,6 +2,9 @@ name: Release on: push: branches: [main] +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest @@ -14,6 +17,11 @@ jobs: # the `vX.Y.Z` git tag. For a Go module that tag *is* the published # artifact (consumed directly by `go get`), so there is no separate # publish step like the npm packages in monetr/notify and monetr/vaul. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5 id: release with: