diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d50c429..8cf480e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,11 +5,21 @@ on: - main tags: - "*" +permissions: + contents: read + jobs: build: + permissions: + contents: write # for goreleaser/goreleaser-action to create a GitHub release name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v4 with: diff --git a/.github/workflows/build_doc.yaml b/.github/workflows/build_doc.yaml index d85caf5..9a67643 100644 --- a/.github/workflows/build_doc.yaml +++ b/.github/workflows/build_doc.yaml @@ -22,6 +22,11 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v4 - name: Setup Pages diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f8008cb..ce2a858 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '19 8 * * 0' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -39,6 +42,11 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a505134..c81b574 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,6 +5,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@v4