From f677e8c339064f62fef45fad1a5c1a981e8add36 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 2 Nov 2022 18:45:11 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by:
 StepSecurity Bot <bot@stepsecurity.io>

---
 .github/workflows/auto-merge-mine.yml |  5 +++++
 .github/workflows/codeql-analysis.yml | 18 +++++++++++++-----
 .github/workflows/db-auto-approve.yml |  7 ++++++-
 .github/workflows/db-auto-merge.yml   |  7 ++++++-
 .github/workflows/eslint.yml          | 12 ++++++++++--
 .github/workflows/scorecards.yml      |  5 +++++
 6 files changed, 45 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/auto-merge-mine.yml b/.github/workflows/auto-merge-mine.yml
index 0ecb4b8..97d815f 100644
--- a/.github/workflows/auto-merge-mine.yml
+++ b/.github/workflows/auto-merge-mine.yml
@@ -10,6 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'megamanics' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Enable auto-merge for my PRs only
         run: gh pr merge --auto --merge "$PR_URL"
         env:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 3f4ed63..3f956f5 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '33 0 * * 4'
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -37,12 +40,17 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@main
+      uses: github/codeql-action/init@71510779c25b2bd66d6434d3f94a74dac811e3fd
       with:
         languages: ${{ matrix.language }}
         # Prefix the list here with "+" to use these queries and those in the config file.
@@ -52,7 +60,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -63,11 +71,11 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@main
+      uses: github/codeql-action/analyze@71510779c25b2bd66d6434d3f94a74dac811e3fd
       with:
         category: codeql-action
     - name: Archive production artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb
       with:
         name: codeql results
         path: /home/runner/work/replacor/results/javascript.sarif
diff --git a/.github/workflows/db-auto-approve.yml b/.github/workflows/db-auto-approve.yml
index 174f609..b4d3efa 100644
--- a/.github/workflows/db-auto-approve.yml
+++ b/.github/workflows/db-auto-approve.yml
@@ -9,9 +9,14 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@a3e5f86ae9f2f49b441498973ddec20035d326b8
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Approve a PR
diff --git a/.github/workflows/db-auto-merge.yml b/.github/workflows/db-auto-merge.yml
index 5ad8085..9083d67 100644
--- a/.github/workflows/db-auto-merge.yml
+++ b/.github/workflows/db-auto-merge.yml
@@ -10,9 +10,14 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.1.1
+        uses: dependabot/fetch-metadata@a3e5f86ae9f2f49b441498973ddec20035d326b8
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml
index 371491f..81ea901 100644
--- a/.github/workflows/eslint.yml
+++ b/.github/workflows/eslint.yml
@@ -3,6 +3,9 @@ name: "ESLint analysis"
 on:
   push:
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -11,12 +14,17 @@ jobs:
       actions: read
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
       - name: Run npm install
         run:  npm install
       - name: Run ESLint
         run:  node_modules/.bin/eslint *.js -f node_modules/@microsoft/eslint-formatter-sarif/sarif.js -o results.sarif || true
-      - uses: github/codeql-action/upload-sarif@v2
+      - uses: github/codeql-action/upload-sarif@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f
         with:
           category: es-linter
           sarif_file: results.sarif
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 39d2416..dca2c8f 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with: