ci: add minimum GitHub at the workflow level for pip-tools.yaml

ashishkurmi · ashishkurmi · commit 68d88f4cc4be · 2022-09-21T19:15:02.000-07:00
Signed-off-by: Ashish Kurmi &lt;akurmi@stepsecurity.io&gt;
diff --git a/.github/workflows/pip-tools.yaml b/.github/workflows/pip-tools.yaml
@@ -11,6 +11,9 @@ on:
     # Run weekly on day 0 at 00:00 UTC
     - cron: "0 0 * * 0"
 
+permissions:
+  contents: read
+
 jobs:
   update-dependencies:
     permissions:
@@ -20,8 +23,13 @@ jobs:
     name: Update dependencies
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5
         with:
           python-version: "3.10"
       - name: Install test dependencies
@@ -51,7 +59,7 @@ jobs:
         run: pip-compile --upgrade --output-file=requirements/deploy.txt requirements/deploy.in
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@171dd555b9ab6b18fa02519fdfacbb8bf671e1b4
         with:
           add-paths: |
             requirements/*.txt
