From 0b4b846673d1fbd58ee3d7ce642e882a73c30cfc Mon Sep 17 00:00:00 2001 From: Jed Salazar Date: Mon, 1 Apr 2024 08:29:55 -0600 Subject: [PATCH] Add hardened runner Signed-off-by: Jed Salazar --- .github/workflows/build.yml | 10 +++++++++- .github/workflows/ci.yml | 10 ++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6ec1bf5..9b94813 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,9 @@ env: GHCR_USER: ${{ github.repository_owner }} GHCR_PASS: ${{ github.token }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -18,8 +21,13 @@ jobs: packages: write id-token: write # needed for GitHub OIDC Token steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Build, sign, inspect an image using wolfi-act - uses: wolfi-dev/wolfi-act@main + uses: wolfi-dev/wolfi-act@c7bc05c8af23bca710b267e0db3b39c939eb7b02 # main with: packages: curl,apko,cosign,crane,grype,trivy command: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3ea199..670a819 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Build, sign, inspect an image using wolfi-act @@ -49,6 +54,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Build, sign, inspect an image using wolfi-act