diff options
author | StepSecurity Bot <bot@stepsecurity.io> | 2022-10-29 12:16:32 +0000 |
---|---|---|
committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2022-10-31 19:52:55 +0000 |
commit | d8a5f385bf76ad21cb8942412a370bee3e7b8ce6 (patch) | |
tree | 5620403edad06be5167a8c01cb3db0af0823f621 /.github/workflows/codeql-analysis.yml | |
parent | build(deps): bump github/codeql-action from 2.1.28 to 2.1.29 (diff) | |
download | firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.gz firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.tar.zst firejail-d8a5f385bf76ad21cb8942412a370bee3e7b8ce6.zip |
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Diffstat (limited to '.github/workflows/codeql-analysis.yml')
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 908eb8dd2..8b84f4d16 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -34,8 +34,15 @@ on: | |||
34 | schedule: | 34 | schedule: |
35 | - cron: '0 7 * * 2' | 35 | - cron: '0 7 * * 2' |
36 | 36 | ||
37 | permissions: # added using https://github.com/step-security/secure-workflows | ||
38 | contents: read | ||
39 | |||
37 | jobs: | 40 | jobs: |
38 | analyze: | 41 | analyze: |
42 | permissions: | ||
43 | actions: read # for github/codeql-action/init to get workflow details | ||
44 | contents: read # for actions/checkout to fetch code | ||
45 | security-events: write # for github/codeql-action/autobuild to send a status report | ||
39 | name: Analyze | 46 | name: Analyze |
40 | runs-on: ubuntu-latest | 47 | runs-on: ubuntu-latest |
41 | 48 | ||
@@ -48,6 +55,11 @@ jobs: | |||
48 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed | 55 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed |
49 | 56 | ||
50 | steps: | 57 | steps: |
58 | - name: Harden Runner | ||
59 | uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 | ||
60 | with: | ||
61 | egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
62 | |||
51 | - name: Checkout repository | 63 | - name: Checkout repository |
52 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 | 64 | uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 |
53 | 65 | ||