diff options
author | StepSecurity Bot <bot@stepsecurity.io> | 2022-10-29 12:16:32 +0000 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2022-10-31 19:52:55 +0000 |
commit | d8a5f385bf76ad21cb8942412a370bee3e7b8ce6 (patch) | |
tree | 5620403edad06be5167a8c01cb3db0af0823f621 /.github/workflows/build.yml | |
parent | build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (diff) | |
download | firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.gz firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.zst firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.zip |
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Diffstat (limited to '.github/workflows/build.yml')
-rw-r--r-- | .github/workflows/build.yml | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74f4375c9..e383c9ef2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -24,10 +24,18 @@ on: | |||
24 | - RELNOTES | 24 | - RELNOTES |
25 | - SECURITY.md | 25 | - SECURITY.md |
26 | 26 | ||
27 | permissions: # added using https://github.com/step-security/secure-workflows | ||
28 | contents: read | ||
29 | |||
27 | jobs: | 30 | jobs: |
28 | build_and_test: | 31 | build_and_test: |
29 | runs-on: ubuntu-22.04 | 32 | runs-on: ubuntu-22.04 |
30 | steps: | 33 | steps: |
34 | - name: Harden Runner | ||
35 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
36 | with: | ||
37 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
38 | |||
31 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 39 | - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
32 | - name: update package information | 40 | - name: update package information |
33 | run: sudo apt-get update | 41 | run: sudo apt-get update |