From 1545b2e80e8158a0f6620b3289eb85d46ee5872f Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 19:35:34 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/npm-publish.yml | 21 +++++++++++++++++---- .github/workflows/salus-scan.yml | 9 +++++++-- .github/workflows/static-analysis.yml | 14 +++++++++++--- .github/workflows/unit-tests.yml | 26 ++++++++++++++++++++++---- 4 files changed, 57 insertions(+), 13 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 4be0521..d4a5918 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -7,12 +7,20 @@ on: release: types: [published] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 18 - run: yarn install --frozen-lockfile @@ -26,8 +34,13 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 18 registry-url: https://registry.npmjs.org/ diff --git a/.github/workflows/salus-scan.yml b/.github/workflows/salus-scan.yml index 2812933..cbc8238 100644 --- a/.github/workflows/salus-scan.yml +++ b/.github/workflows/salus-scan.yml @@ -6,9 +6,14 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Salus Scan id: salus_scan - uses: federacy/scan-action@0.1.4 + uses: federacy/scan-action@a7039b38cf9b90d3c27e27f4cedfbf153ab3da62 # 0.1.4 with: active_scanners: "\n - PatternSearch\n - Semgrep\n - Trufflehog\n - YarnAudit" diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index fb38f4b..c7856a0 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -2,17 +2,25 @@ name: Static Analysis on: [pull_request, push] +permissions: + contents: read + jobs: static-analysis: name: 'Lint and Type-check' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2 with: node-version: 16 - name: Install Dependencies - uses: bahmutov/npm-install@v1 + uses: bahmutov/npm-install@6bbff949458c1dd99b20e185cee8c4d6fcf1212a # v1.10.9 - name: TypeCheck run: yarn typecheck - name: Lint diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index dd6c4b1..b4134d1 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -2,13 +2,21 @@ name: Unit Tests on: [pull_request, push] +permissions: + contents: read + jobs: matrix: runs-on: ubuntu-latest outputs: latest: ${{ steps.set-matrix.outputs.requireds }} steps: - - uses: ljharb/actions/node/matrix@main + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: ljharb/actions/node/matrix@4541da42a86d43cc9d286b41b9dd07561be64029 # main id: set-matrix with: versionsAsRoot: true @@ -24,12 +32,17 @@ jobs: matrix: node-version: ${{ fromJson(needs.matrix.outputs.latest) }} steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8 # v2.5.2 with: node-version: ${{ matrix.node-version }} - name: Install Dependencies - uses: bahmutov/npm-install@v1 + uses: bahmutov/npm-install@6bbff949458c1dd99b20e185cee8c4d6fcf1212a # v1.10.9 - name: Unit Tests run: yarn jest @@ -38,4 +51,9 @@ jobs: name: 'unit tests' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - run: echo 'tests completed'