From 875273358cd3ac0580336ff42fc92071afb34928 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Mon, 27 Jan 2025 15:24:32 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/build.yml      | 10 ++++++++++
 .github/workflows/build_doc.yaml |  5 +++++
 .github/workflows/codeql.yml     |  8 ++++++++
 .github/workflows/pr.yml         |  5 +++++
 4 files changed, 28 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d50c429..8cf480e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -5,11 +5,21 @@ on:
       - main
     tags:
       - "*"
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
     name: Build
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/build_doc.yaml b/.github/workflows/build_doc.yaml
index d85caf5..9a67643 100644
--- a/.github/workflows/build_doc.yaml
+++ b/.github/workflows/build_doc.yaml
@@ -22,6 +22,11 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Pages
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index f8008cb..ce2a858 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '19 8 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -39,6 +42,11 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v4
 
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index a505134..c81b574 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -5,6 +5,11 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@v4