chore: [StepSecurity] Harden GitHub Actions (GoogleCloudPlatform#218)

step-security-bot · web-flow · commit 433f32298fc9 · 2023-02-23T08:55:37.000-08:00
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -7,24 +7,29 @@ jobs:
       matrix:
         python-version: ['3.8', '3.9', '3.10', '3.11']
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
 
     - name: Setup Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
       with:
         python-version: ${{ matrix.python-version }}
 
     - name: Install the framework
       run: python -m pip install -e .
 
     - name: Setup Go
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
       with:
         go-version: '1.16'
 
     - name: Run HTTP conformance tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'http'
@@ -33,7 +38,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_http --signature-type http'"
 
     - name: Run event conformance tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'legacyevent'
@@ -42,7 +47,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_legacy_event --signature-type event'"
 
     - name: Run CloudEvents conformance tests
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'cloudevent'
@@ -51,7 +56,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_cloud_event --signature-type cloudevent'"
 
     - name: Run HTTP conformance tests declarative
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'http'
@@ -60,7 +65,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_http_declarative'"
 
     - name: Run CloudEvents conformance tests declarative
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'cloudevent'
@@ -69,7 +74,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_cloud_event_declarative'"
 
     - name: Run HTTP concurrency tests declarative
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'http'
@@ -78,7 +83,7 @@ jobs:
         cmd: "'functions-framework --source tests/conformance/main.py --target write_http_declarative_concurrent'"
 
     - name: Run Typed tests declarative
-      uses: GoogleCloudPlatform/functions-framework-conformance/action@v1.6.0
+      uses: GoogleCloudPlatform/functions-framework-conformance/action@c52662e612b2685a027b1c3e02224306517722fc # v1.6.0
       with:
         version: 'v1.6.0'
         functionType: 'http'
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,12 +1,20 @@
 name: Python Lint CI
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
     - name: Setup Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
     - name: Install tox
       run: python -m pip install tox
     - name: Lint
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,23 +4,31 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-pubish:
     name: Build and Publish
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
         with:
           ref: ${{ github.event.release.tag_name }}
       - name: Install Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
       - name: Install build dependencies
         run: python -m pip install -U setuptools build wheel
       - name: Build distributions
         run: python -m build
       - name: Publish
-        uses: pypa/gh-action-pypi-publish@master
+        uses: pypa/gh-action-pypi-publish@9b8e7336db3f96a2939a3e9fa827c62f466ca60d # master
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -24,6 +24,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -1,5 +1,8 @@
 name: Python Unit CI
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   test:
     strategy:
@@ -8,10 +11,15 @@ jobs:
         platform: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.platform }}
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518 # v2.1.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
     - name: Use Python ${{ matrix.python }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@75f3110429a8c05be0e1bf360334e4cced2b63fa # v2.3.3
       with:
         python-version: ${{ matrix.python }}
     - name: Install tox
