[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-08-03 21:21:32 +00:00 · 2025-06-06 18:22:03 +00:00
2 changed files with 14 additions and 8 deletions
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -6,13 +6,16 @@ on:
  merge_group:
    branches:
    - main
+permissions:
+  contents: read
+
 jobs:
  rustfmt:
    name: rustfmt
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -33,7 +36,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -55,7 +58,7 @@ jobs:
    name: full build linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -83,7 +86,7 @@ jobs:
    name: full test linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
@ -110,7 +113,7 @@ jobs:
    name: full clippy linux-${{ matrix.arch }}
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: checkout repository
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@ -6,6 +6,9 @@ on:
 concurrency:
  group: "${{ github.workflow }}"
  cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
  release-plz:
    name: release-plz
@ -15,11 +18,11 @@ jobs:
      contents: write
    steps:
    - name: harden runner
-      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
      with:
        egress-policy: audit
    - name: generate cultivator token
-      uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+      uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
      id: generate-token
      with:
        app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
@ -37,7 +40,7 @@ jobs:
    - name: install linux dependencies
      run: ./hack/ci/install-linux-deps.sh
    - name: release-plz
-      uses: MarcoIeni/release-plz-action@8e91c71a60327f76b30233d17e3cabb316522e8f # v0.5.101
+      uses: MarcoIeni/release-plz-action@476794ede164c5137bfc3a1dc6ed3675275690f9 # v0.5.99
      env:
        GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
        CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}"