From f11702000e8e03fefdca0790b649c583605398d2 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Tue, 4 Nov 2025 18:43:33 +0000 Subject: [PATCH 1/4] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/ci.yml | 9 +++++++-- .github/workflows/npm-publish.yml | 12 ++++++++++-- .github/workflows/release.yml | 7 ++++++- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4dda9e1..0802c4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,16 @@ jobs: name: "Lint and Test" runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Install Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - name: Install Dependencies run: yarn install diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 918efc5..a311246 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -5,12 +5,20 @@ name: Publish to npm on: [workflow_dispatch, workflow_call] +permissions: + contents: read + jobs: publish-npm: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 registry-url: https://registry.npmjs.org/ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 82c81f7..80389e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,12 @@ jobs: did-create-release: ${{ steps.release.outputs.release_created }} release-tag: ${{ steps.release.outputs.tag_name }} steps: - - uses: google-github-actions/release-please-action@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 id: release with: release-type: node From 16eb387fb97c835da569a20e580b497761c95f01 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:09 -0500 Subject: [PATCH 2/4] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/ci.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0802c4f..61d2625 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,11 +5,15 @@ jobs: lint-and-test: name: "Lint and Test" runs-on: ubuntu-latest + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Check out repository code uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 From 635a4cca1fcae0eebb30606f23bddf86a728fda7 Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:11 -0500 Subject: [PATCH 3/4] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/npm-publish.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index a311246..21c7083 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -11,11 +11,15 @@ permissions: jobs: publish-npm: runs-on: ubuntu-latest + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From a83511075f31c11d8451d50dce961a369fc20a6c Mon Sep 17 00:00:00 2001 From: ali-kafel Date: Tue, 4 Nov 2025 14:51:13 -0500 Subject: [PATCH 4/4] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/release.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 80389e7..50be738 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,11 +9,15 @@ jobs: outputs: did-create-release: ${{ steps.release.outputs.release_created }} release-tag: ${{ steps.release.outputs.tag_name }} + permissions: + id-token: write + steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 id: release