[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-04-16 18:45:10 +00:00
parent 09d08593ed
commit df80079476
14 changed files with 222 additions and 34 deletions
--- a/.github/workflows/sub_weeklyBuild.yml
+++ b/.github/workflows/sub_weeklyBuild.yml
@@ -12,7 +12,12 @@ jobs:
    outputs:
      build_tag: ${{ steps.tag_build.outputs.build_tag }}
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
          submodules: 'recursive'
@@ -59,6 +64,11 @@ jobs:
    runs-on: ${{ matrix.os }}
    environment: weekly-build
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+        with:
+          egress-policy: audit
+
      - name: Set Platform Environment Variables
        shell: bash -l {0}
        env:
@@ -71,13 +81,13 @@ jobs:
            echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true
          submodules: 'recursive'

-      - uses: prefix-dev/setup-pixi@v0.8.3
+      - uses: prefix-dev/setup-pixi@92815284c57faa15cd896c4d5cfb2d59f32dc43d # v0.8.3
        with:
          pixi-version: v0.42.1
          cache: false