Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita16230d

Browse files
committed
ci: integrate step-security/harden-runner in workflows
1 parentfac77f9 commita16230d

15 files changed

+256
-1
lines changed

‎.github/workflows/ci.yaml

Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,11 @@ jobs:
4242
offlinedocs:${{ steps.filter.outputs.offlinedocs }}
4343
tailnet-integration:${{ steps.filter.outputs.tailnet-integration }}
4444
steps:
45+
-name:Harden Runner
46+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
47+
with:
48+
egress-policy:audit
49+
4550
-name:Checkout
4651
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
4752
with:
@@ -157,6 +162,11 @@ jobs:
157162
if:needs.changes.outputs.offlinedocs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
158163
runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
159164
steps:
165+
-name:Harden Runner
166+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
167+
with:
168+
egress-policy:audit
169+
160170
-name:Checkout
161171
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
162172
with:
@@ -219,6 +229,11 @@ jobs:
219229
needs:changes
220230
if:needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
221231
steps:
232+
-name:Harden Runner
233+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
234+
with:
235+
egress-policy:audit
236+
222237
-name:Checkout
223238
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
224239
with:
@@ -268,6 +283,11 @@ jobs:
268283
runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
269284
timeout-minutes:7
270285
steps:
286+
-name:Harden Runner
287+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
288+
with:
289+
egress-policy:audit
290+
271291
-name:Checkout
272292
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
273293
with:
@@ -304,6 +324,11 @@ jobs:
304324
-macos-latest
305325
-windows-2022
306326
steps:
327+
-name:Harden Runner
328+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
329+
with:
330+
egress-policy:audit
331+
307332
-name:Checkout
308333
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
309334
with:
@@ -358,6 +383,11 @@ jobs:
358383
# even if some of the preceding steps are slow.
359384
timeout-minutes:25
360385
steps:
386+
-name:Harden Runner
387+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
388+
with:
389+
egress-policy:audit
390+
361391
-name:Checkout
362392
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
363393
with:
@@ -398,6 +428,11 @@ jobs:
398428
# even if some of the preceding steps are slow.
399429
timeout-minutes:25
400430
steps:
431+
-name:Harden Runner
432+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
433+
with:
434+
egress-policy:audit
435+
401436
-name:Checkout
402437
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
403438
with:
@@ -430,6 +465,11 @@ jobs:
430465
if:needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
431466
timeout-minutes:25
432467
steps:
468+
-name:Harden Runner
469+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
470+
with:
471+
egress-policy:audit
472+
433473
-name:Checkout
434474
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
435475
with:
@@ -466,6 +506,11 @@ jobs:
466506
if:needs.changes.outputs.tailnet-integration == 'true' || needs.changes.outputs.ci == 'true'
467507
timeout-minutes:20
468508
steps:
509+
-name:Harden Runner
510+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
511+
with:
512+
egress-policy:audit
513+
469514
-name:Checkout
470515
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
471516
with:
@@ -487,6 +532,11 @@ jobs:
487532
if:needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
488533
timeout-minutes:20
489534
steps:
535+
-name:Harden Runner
536+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
537+
with:
538+
egress-policy:audit
539+
490540
-name:Checkout
491541
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
492542
with:
@@ -514,6 +564,11 @@ jobs:
514564
name:test-e2e-enterprise
515565
name:${{ matrix.variant.name }}
516566
steps:
567+
-name:Harden Runner
568+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
569+
with:
570+
egress-policy:audit
571+
517572
-name:Checkout
518573
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
519574
with:
@@ -576,6 +631,11 @@ jobs:
576631
needs:changes
577632
if:needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true'
578633
steps:
634+
-name:Harden Runner
635+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
636+
with:
637+
egress-policy:audit
638+
579639
-name:Checkout
580640
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
581641
with:
@@ -648,6 +708,11 @@ jobs:
648708
if:needs.changes.outputs.offlinedocs == 'true' || needs.changes.outputs.ci == 'true' || needs.changes.outputs.docs == 'true'
649709

650710
steps:
711+
-name:Harden Runner
712+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
713+
with:
714+
egress-policy:audit
715+
651716
-name:Checkout
652717
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
653718
with:
@@ -716,6 +781,11 @@ jobs:
716781
# cancelled.
717782
if:always()
718783
steps:
784+
-name:Harden Runner
785+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
786+
with:
787+
egress-policy:audit
788+
719789
-name:Ensure required checks
720790
run:|
721791
echo "Checking required checks"
@@ -749,6 +819,11 @@ jobs:
749819
outputs:
750820
IMAGE:ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}
751821
steps:
822+
-name:Harden Runner
823+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
824+
with:
825+
egress-policy:audit
826+
752827
-name:Checkout
753828
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
754829
with:
@@ -868,6 +943,11 @@ jobs:
868943
contents:read
869944
id-token:write
870945
steps:
946+
-name:Harden Runner
947+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
948+
with:
949+
egress-policy:audit
950+
871951
-name:Checkout
872952
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
873953
with:
@@ -925,6 +1005,11 @@ jobs:
9251005
needs:build
9261006
if:github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
9271007
steps:
1008+
-name:Harden Runner
1009+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
1010+
with:
1011+
egress-policy:audit
1012+
9281013
-name:Checkout
9291014
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
9301015
with:
@@ -955,6 +1040,11 @@ jobs:
9551040
needs:changes
9561041
if:needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
9571042
steps:
1043+
-name:Harden Runner
1044+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
1045+
with:
1046+
egress-policy:audit
1047+
9581048
-name:Checkout
9591049
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
9601050
with:

‎.github/workflows/contrib.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,23 @@ jobs:
2727
permissions:
2828
pull-requests:write
2929
steps:
30+
-name:Harden Runner
31+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
32+
with:
33+
egress-policy:audit
34+
3035
-name:auto-approve dependabot
3136
uses:hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363# v4.0.0
3237
if:github.actor == 'dependabot[bot]'
3338

3439
cla:
3540
runs-on:ubuntu-latest
3641
steps:
42+
-name:Harden Runner
43+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
44+
with:
45+
egress-policy:audit
46+
3747
-name:cla
3848
if:(github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
3949
uses:contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08# v2.6.1
@@ -56,6 +66,11 @@ jobs:
5666
# Skip tagging for draft PRs.
5767
if:${{ github.event_name == 'pull_request_target' && !github.event.pull_request.draft }}
5868
steps:
69+
-name:Harden Runner
70+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
71+
with:
72+
egress-policy:audit
73+
5974
-name:release-labels
6075
uses:actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea# v7.0.1
6176
with:
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# Dependency Review Action
2+
#
3+
# This Action will scan dependency manifest files that change as part of a Pull Request,
4+
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+
# Once installed, if the workflow run is marked as required,
6+
# PRs introducing known-vulnerable packages will be blocked from merging.
7+
#
8+
# Source repository: https://github.com/actions/dependency-review-action
9+
name:'Dependency Review'
10+
on:[pull_request]
11+
12+
permissions:
13+
contents:read
14+
15+
jobs:
16+
dependency-review:
17+
runs-on:ubuntu-latest
18+
steps:
19+
-name:Harden Runner
20+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
21+
with:
22+
egress-policy:audit
23+
24+
-name:'Checkout Repository'
25+
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
26+
-name:'Dependency Review'
27+
uses:actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c# v4.3.4

‎.github/workflows/docker-base.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,11 @@ jobs:
3636
runs-on:ubuntu-latest
3737
if:github.repository_owner == 'coder'
3838
steps:
39+
-name:Harden Runner
40+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
41+
with:
42+
egress-policy:audit
43+
3944
-name:Checkout
4045
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
4146

‎.github/workflows/dogfood.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,11 @@ jobs:
2626
if:github.actor != 'dependabot[bot]'# Skip Dependabot PRs
2727
runs-on:ubuntu-latest
2828
steps:
29+
-name:Harden Runner
30+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
31+
with:
32+
egress-policy:audit
33+
2934
-name:Checkout
3035
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
3136

@@ -83,6 +88,11 @@ jobs:
8388
needs:build_image
8489
runs-on:ubuntu-latest
8590
steps:
91+
-name:Harden Runner
92+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
93+
with:
94+
egress-policy:audit
95+
8696
-name:Checkout
8797
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
8898

‎.github/workflows/nightly-gauntlet.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,11 @@ jobs:
1616
# so 0.016 * 240 = 3.84 USD per run.
1717
timeout-minutes:240
1818
steps:
19+
-name:Harden Runner
20+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
21+
with:
22+
egress-policy:audit
23+
1924
-name:Checkout
2025
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
2126

@@ -43,6 +48,11 @@ jobs:
4348
runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04' || 'ubuntu-latest' }}
4449
timeout-minutes:10
4550
steps:
51+
-name:Harden Runner
52+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
53+
with:
54+
egress-policy:audit
55+
4656
-name:Checkout
4757
uses:actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871# v4.2.1
4858

‎.github/workflows/pr-auto-assign.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,10 @@ jobs:
1313
assign-author:
1414
runs-on:ubuntu-latest
1515
steps:
16+
-name:Harden Runner
17+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
18+
with:
19+
egress-policy:audit
20+
1621
-name:Assign author
1722
uses:toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516# v2.1.1

‎.github/workflows/pr-cleanup.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ jobs:
1515
cleanup:
1616
runs-on:"ubuntu-latest"
1717
steps:
18+
-name:Harden Runner
19+
uses:step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7# v2.10.1
20+
with:
21+
egress-policy:audit
22+
1823
-name:Get PR number
1924
id:pr_number
2025
run:|

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp