Pin actions to digests and introduce Step Security Harden Runners (#137)

Signed-off-by: Jed Salazar <jedsalazar@gmail.com>
2025-08-03 13:11:31 +00:00 · 2024-05-10 17:00:56 -07:00
parent 485f6e8319
commit 0193921053
8 changed files with 100 additions and 41 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -11,10 +11,14 @@ jobs:
    name: fmt
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        submodules: recursive
-    - uses: dtolnay/rust-toolchain@stable
+    - uses: dtolnay/rust-toolchain@d388a4836fcdbde0e50e395dc79a2670ccdef13f # stable
      with:
        components: rustfmt
    - run: ./hack/ci/install-linux-deps.sh
@ -23,7 +27,11 @@ jobs:
    name: shellcheck
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
+      with:
+        egress-policy: audit
+    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
      with:
        submodules: recursive
    - run: ./hack/code/shellcheck.sh