ci: Update per Q3 audit findings

Signed-off-by: Mihail Mihov <[email protected]>
hashgraph · Oct 31, 2024 · b3fb5fe · b3fb5fe
1 parent a07f157
commit b3fb5fe
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 0 deletions.
diff --git a/.github/workflows/flow-deploy-release-artifact.yaml b/.github/workflows/flow-deploy-release-artifact.yaml
@@ -61,6 +61,11 @@ jobs:
     outputs:
       version: ${{ steps.tag.outputs.version }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
@@ -122,6 +127,11 @@ jobs:
     needs:
       - publish-maven-central
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:

diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml
@@ -40,6 +40,11 @@ jobs:
     name: Title Check
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Check PR Title
         uses: step-security/conventional-pr-title-action@19fb561b33015fd2184055a05ce5a3bcf2ba3f54 # v3.2.0
         env:

diff --git a/.github/workflows/zxc-code-analysis.yaml b/.github/workflows/zxc-code-analysis.yaml
@@ -102,6 +102,11 @@ jobs:
     name: ${{ inputs.custom-job-label || 'Analyze' }}
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:

diff --git a/.github/workflows/zxc-compile-code.yaml b/.github/workflows/zxc-compile-code.yaml
@@ -87,6 +87,11 @@ jobs:
     name: ${{ inputs.custom-job-label || 'Compiles' }}
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:

diff --git a/.github/workflows/zxc-release-maven-central.yaml b/.github/workflows/zxc-release-maven-central.yaml
@@ -94,6 +94,11 @@ jobs:
     outputs:
       notes: ${{ steps.create-release-notes.outputs.RELEASE_NOTES }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:

diff --git a/.github/workflows/zxf-snyk-monitor.yaml b/.github/workflows/zxf-snyk-monitor.yaml
@@ -37,6 +37,11 @@ jobs:
     name: Snyk Monitor
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1