Skip to content

Commit c466975

Browse files
feat(security): security best practices from StepSecurity (#86)
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>
1 parent f818d5b commit c466975

3 files changed

Lines changed: 20 additions & 0 deletions

File tree

.github/workflows/pull-request.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,11 @@ jobs:
1919
python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
2020

2121
steps:
22+
- name: Harden the runner (Audit all outbound calls)
23+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
24+
with:
25+
egress-policy: audit
26+
2227
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
2328
with:
2429
persist-credentials: false

.github/workflows/pypi-release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,11 @@ jobs:
2424
contents: read # Checkout repository
2525
id-token: write # PyPI trusted publishing
2626
steps:
27+
- name: Harden the runner (Audit all outbound calls)
28+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
29+
with:
30+
egress-policy: audit
31+
2732
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2833
with:
2934
persist-credentials: false

.github/workflows/zizmor.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,11 @@ jobs:
2323
contents: read
2424
actions: read
2525
steps:
26+
- name: Harden the runner (Audit all outbound calls)
27+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
28+
with:
29+
egress-policy: audit
30+
2631
- name: Checkout repository
2732
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2833
with:
@@ -43,6 +48,11 @@ jobs:
4348
contents: read
4449
actions: read
4550
steps:
51+
- name: Harden the runner (Audit all outbound calls)
52+
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
53+
with:
54+
egress-policy: audit
55+
4656
- name: Checkout repository
4757
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
4858
with:

0 commit comments

Comments
 (0)