From ce07d59d9655e1d6a76355a3a64277f1777fdf0e Mon Sep 17 00:00:00 2001 From: amankong Date: Wed, 2 Jul 2025 17:23:02 +0530 Subject: [PATCH] chore: add Harden Runner to all workflows --- .github/workflows/auto-assignee.yml | 4 ++++ .github/workflows/ci.yaml | 16 ++++++++++++++++ .github/workflows/pr-on-close.yaml | 4 ++++ .github/workflows/pr-packages.yaml | 4 ++++ 4 files changed, 28 insertions(+) diff --git a/.github/workflows/auto-assignee.yml b/.github/workflows/auto-assignee.yml index c6cfb13adc..f91f63af16 100644 --- a/.github/workflows/auto-assignee.yml +++ b/.github/workflows/auto-assignee.yml @@ -8,4 +8,8 @@ jobs: assign-author: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - uses: toshimaru/auto-author-assign@2daaeb2988aef24bf37e636fe733f365c046aba0 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9f15ca6c32..b0ff932ae9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -34,6 +34,10 @@ jobs: GH_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit # if previous run did create comment with the reference to PR preview package # this comment is removed in this step - name: Remove preview consumption comment @@ -342,6 +346,10 @@ jobs: container: ${{ fromJSON(needs.build.outputs.componentTestMatrix) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -398,6 +406,10 @@ jobs: GH_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Successful tests if: ${{ !(contains(needs.*.result, 'failure')) }} run: exit 0 @@ -489,6 +501,10 @@ jobs: needs: - finish-test-and-publish steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/pr-on-close.yaml b/.github/workflows/pr-on-close.yaml index f08bc33c67..11aa8b5ea9 100644 --- a/.github/workflows/pr-on-close.yaml +++ b/.github/workflows/pr-on-close.yaml @@ -8,6 +8,10 @@ jobs: name: remove previews comments for PR runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/pr-packages.yaml b/.github/workflows/pr-packages.yaml index 98721862fe..5225b6b1aa 100644 --- a/.github/workflows/pr-packages.yaml +++ b/.github/workflows/pr-packages.yaml @@ -14,6 +14,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: + - name: Harden Runner + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 + with: + egress-policy: audit - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4