From 64e66293df736abb48161aa29ee916b3057cf195 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 5 Mar 2026 16:34:17 +0000 Subject: [PATCH 1/2] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/cargo.yml | 18 ++++++++++++++---- .github/workflows/image.yml | 15 ++++++++++++++- .github/workflows/nix-image.yaml | 21 ++++++++++++++++++--- build-docker-image/action.yml | 6 +++--- nix-image/action.yaml | 6 +++--- 5 files changed, 52 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml index 6473173..5bf23e0 100644 --- a/.github/workflows/cargo.yml +++ b/.github/workflows/cargo.yml @@ -12,10 +12,15 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: rui314/setup-mold@v1 + - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 - run: rustup show - run: | curl -L -s https://github.com/prometheus/prometheus/releases/download/v${PROMTOOL_VERSION}/prometheus-${PROMTOOL_VERSION}.linux-amd64.tar.gz |\ @@ -32,10 +37,15 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: rui314/setup-mold@v1 + - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1 - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2 + - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 - run: rustup show - run: cargo clippy --workspace -- -D warnings env: diff --git a/.github/workflows/image.yml b/.github/workflows/image.yml index 7e24f03..6498f23 100644 --- a/.github/workflows/image.yml +++ b/.github/workflows/image.yml @@ -25,6 +25,9 @@ on: required: false default: false +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -34,7 +37,12 @@ jobs: packages: write security-events: write steps: - - uses: vexxhost/github-actions/build-docker-image@main + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + + - uses: vexxhost/github-actions/build-docker-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main id: build with: token: ${{ secrets.GITHUB_TOKEN }} @@ -55,6 +63,11 @@ jobs: contents: write security-events: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 with: image-ref: ${{ needs.image.outputs.image_name }} diff --git a/.github/workflows/nix-image.yaml b/.github/workflows/nix-image.yaml index 11049ec..8d21c15 100644 --- a/.github/workflows/nix-image.yaml +++ b/.github/workflows/nix-image.yaml @@ -27,7 +27,12 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 10 steps: - - uses: vexxhost/github-actions/nix-image@main + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + + - uses: vexxhost/github-actions/nix-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main id: build with: token: ${{ secrets.GITHUB_TOKEN }} @@ -40,7 +45,12 @@ jobs: runs-on: ubuntu-24.04-arm timeout-minutes: 10 steps: - - uses: vexxhost/github-actions/nix-image@main + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + + - uses: vexxhost/github-actions/nix-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main id: build with: token: ${{ secrets.GITHUB_TOKEN }} @@ -59,12 +69,17 @@ jobs: id-token: write packages: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 + with: + egress-policy: audit + - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 id: meta with: images: ${{ needs.amd64.outputs.image-name }} tags: ${{ inputs.tags }} - - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/build-docker-image/action.yml b/build-docker-image/action.yml index 7302d6f..158ca3c 100644 --- a/build-docker-image/action.yml +++ b/build-docker-image/action.yml @@ -36,8 +36,8 @@ runs: with: images: ${{ inputs.image-ref }} tags: ${{ inputs.tags }} - - uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0 - - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + - uses: step-security/depot-setup-action@f5473e0857ae0042e260d41d027c9b23ac531127 # v1.6.1 + - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 if: ${{ inputs.push == 'true' }} with: registry: ghcr.io @@ -61,7 +61,7 @@ runs: with: msg: ${{ fromJSON(steps.build.outputs.metadata)['image.name'] }} separator: "," - - uses: vexxhost/github-actions/scan-image@main + - uses: vexxhost/github-actions/scan-image@377e35d3a5c570338901d9e0edf48bcf86c7c9ef # main with: image-ref: ${{ steps.split.outputs._0 }} fail-on-vulnerability: ${{ inputs.push == 'true' && 'false' || 'true' }} diff --git a/nix-image/action.yaml b/nix-image/action.yaml index 6750626..e06eeed 100644 --- a/nix-image/action.yaml +++ b/nix-image/action.yaml @@ -14,11 +14,11 @@ runs: using: "composite" steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: DeterminateSystems/nix-installer-action@v17 + - uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17 with: determinate: true - uses: DeterminateSystems/flakehub-cache-action@146f476c94460cb634f9ade79470fcbc3f7e5b36 # v1 - - uses: DeterminateSystems/flake-checker-action@v9 + - uses: DeterminateSystems/flake-checker-action@078f5f7f47ee188aa6cb472527ca5984e195222d # v9 - shell: bash run: nix build .#dockerImage - shell: bash @@ -32,7 +32,7 @@ runs: images: ${{ steps.image-info.outputs.name }} tags: | type=sha,suffix=-${{ steps.image-info.outputs.arch }} - - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + - uses: step-security/docker-login-action@c3e677aae8393bc9c81cfdf9709648720ea4bd4d # v3.6.0 if: ${{ inputs.push == 'true' }} with: registry: ghcr.io From 256432b77a1da8c9059fcc1675f2741103e22fe7 Mon Sep 17 00:00:00 2001 From: Dong Ma Date: Fri, 6 Mar 2026 09:36:21 +0800 Subject: [PATCH 2/2] ci: retrigger CI Signed-off-by: Dong Ma