Skip to content

Commit

Permalink
Merge pull request #10 from jedsalazar/pr/jed/github-token-lp
Browse files Browse the repository at this point in the history
Add hardened runner
  • Loading branch information
jdolitsky authored Apr 1, 2024
2 parents c7bc05c + 0b4b846 commit ee92e84
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
10 changes: 9 additions & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ env:
GHCR_USER: ${{ github.repository_owner }}
GHCR_PASS: ${{ github.token }}

permissions:
contents: read

jobs:
build:
runs-on: ubuntu-latest
Expand All @@ -18,8 +21,13 @@ jobs:
packages: write
id-token: write # needed for GitHub OIDC Token
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Build, sign, inspect an image using wolfi-act
uses: wolfi-dev/wolfi-act@main
uses: wolfi-dev/wolfi-act@c7bc05c8af23bca710b267e0db3b39c939eb7b02 # main
with:
packages: curl,apko,cosign,crane,grype,trivy
command: |
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

- name: Build, sign, inspect an image using wolfi-act
Expand Down Expand Up @@ -49,6 +54,11 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

- name: Build, sign, inspect an image using wolfi-act
Expand Down

0 comments on commit ee92e84

Please sign in to comment.