From 80a9c4f2463c6d035aaeefe3dd110c624af93b65 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:56:06 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/labeler.yml | 8 ++++++++ .github/workflows/lint.yml | 6 +++--- .github/workflows/preview-release.yaml | 2 +- .github/workflows/semantic-release.yml | 2 +- .github/workflows/test.yml | 2 +- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 3e72c530a..ab9ab4b68 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -5,6 +5,9 @@ name: "Labeler" on: # yamllint disable-line rule:truthy - "pull_request_target" +permissions: + contents: read + jobs: triage: runs-on: "ubuntu-latest" @@ -12,6 +15,11 @@ jobs: contents: "read" pull-requests: "write" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: "actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b" # v6.0.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c11ac1f74..cf31eabd6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -81,7 +81,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "20.x" cache-prefix: "lint" @@ -133,7 +133,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "20.x" cache-prefix: "lint" @@ -185,7 +185,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "20.x" cache-prefix: "lint" diff --git a/.github/workflows/preview-release.yaml b/.github/workflows/preview-release.yaml index e5fe5d643..ec7d4f5f2 100644 --- a/.github/workflows/preview-release.yaml +++ b/.github/workflows/preview-release.yaml @@ -47,7 +47,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "20.x" cache-prefix: "preview-release" diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml index 1322306b4..53cdfe88c 100644 --- a/.github/workflows/semantic-release.yml +++ b/.github/workflows/semantic-release.yml @@ -56,7 +56,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "22.x" cache-prefix: "semantic-release" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 75f796876..a4b594322 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -93,7 +93,7 @@ jobs: - name: "Setup resources and environment" id: "setup" - uses: "anolilab/workflows/step/setup@main" + uses: "anolilab/workflows/step/setup@c56082a9d841a5261123032173b8848d9aa69a58" # main with: node-version: "${{ matrix.node_version }}" install-bun: false