[StepSecurity] Apply security best practices

.github/workflows/LargeMatrixWorkflow.yml

@@ -10,6 +10,9 @@ on:
   pull_request:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   generate-jobs:
     name: Generate Jobs
@@ -19,12 +22,12 @@ jobs:
         job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@int-sh
+        uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
         with:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Sleep for 3 minutes on push
         if: github.event_name == 'push'

.github/workflows/LargeMatrixWorkflow2.yml

@@ -9,13 +9,16 @@ on:
         default: '100' # Default value as a string
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   setup-job:
     name: Setup Job
     runs-on: ubuntu-24.04-arm
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@int-sh
+        uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
         with:
           egress-policy: audit
 
@@ -31,12 +34,12 @@ jobs:
         job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@int-sh
+        uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
         with:
           egress-policy: audit
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Make a curl request
         run: curl https://google.com

.github/workflows/agent-tracer-block.yml

@@ -7,7 +7,12 @@ jobs:
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: h0x0er/harden-runner@int
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int
         with:
          egress-policy: block
          agent-env: int-pull

.github/workflows/basic.yml

@@ -6,15 +6,18 @@ on:
 # permissions:
 #   contents: read
 
+permissions:
+  contents: read
+
 jobs:
   overwrite:
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: audit
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: echo overwrite
         run: echo "## Overwritten" >> README.md
@@ -26,14 +29,14 @@ jobs:
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: block
           disable-sudo: true
           allowed-endpoints: |
             www.google.com:443
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - run: curl https://www.google.com
       - run: curl https://microsoft.com
@@ -42,15 +45,15 @@ jobs:
     if: always()
     runs-on: ARMLinuxRunner
     steps:
-      - uses: step-security/harden-runner@rc
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: block
           disable-sudo: true
           disable-telemetry: true
           allowed-endpoints: |
             www.google.com:443
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - run: curl https://www.google.com
       - run: curl https://microsoft.com

.github/workflows/buildkit.yml

@@ -7,6 +7,9 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
@@ -16,28 +19,28 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@int-sh
+      uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
       with:
         egress-policy: audit
 
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
       with:
           buildkitd-flags: --debug
 
     - name: Log in to the Container registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Extract metadata (tags, labels) for Docker
       id: meta
-      uses: docker/metadata-action@v5
+      uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
       with:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -50,7 +53,7 @@ jobs:
         EOF
 
     - name: Build and push Docker image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
       with:
         context: .
         push: true

.github/workflows/config-change-test.yml

@@ -2,12 +2,15 @@ name: Config change test
 on: 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test-host-outbound:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -18,7 +21,7 @@ jobs:
       - run: cat /etc/systemd/resolved.conf
       - run: cat /etc/resolv.conf
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run outbound calls from host
         run: |
@@ -35,7 +38,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -51,7 +54,7 @@ jobs:
       - run: cat /run/systemd/resolve/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run outbound calls from within Docker container
         continue-on-error: true
@@ -87,7 +90,7 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@rc
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
         with:
           egress-policy: audit
           allowed-endpoints: >
@@ -103,7 +106,7 @@ jobs:
       - run: cat /etc/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Build Docker image and test outbound calls during build
         continue-on-error: true
@@ -138,10 +141,15 @@ jobs:
 
 
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - run: cat /etc/resolv.conf
 
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Run long-running Docker container with outbound calls
         continue-on-error: true

.github/workflows/container-test-job.yml

@@ -1,6 +1,9 @@
 name: CI
 on:
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   container-test-job:
     runs-on: ubuntu-latest
@@ -10,5 +13,10 @@ jobs:
         NODE_ENV: development
       options: --cpus 1
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
       - name: Check dockerenv with sudo
         run: sudo ls /.dockerenv || echo No dockerenv

.github/workflows/cvdupdate.yml

@@ -4,6 +4,9 @@ on:
   workflow_dispatch:
 
 
+permissions:
+  contents: read
+
 jobs:
 
   build:
@@ -12,7 +15,7 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@rc
+      uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc
       with:
         egress-policy: audit
         allowed-endpoints: >
@@ -25,7 +28,7 @@ jobs:
           pypi.org:443
           registry-1.docker.io:443
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
     - name: Build the Docker image
       run: docker build . --file Dockerfile

.github/workflows/dns.yml

@@ -3,17 +3,20 @@ name: DNS Resolution Workflow
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   dns-resolution:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@int-sh
+        uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
         with:
           egress-policy: audit
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
 
       - name: Resolve A Record
         run: |

.github/workflows/download.yml

@@ -11,14 +11,19 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: h0x0er/harden-runner@int
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Harden the runner (Audit all outbound calls)
+        uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int
         with:
           egress-policy: block
           allowed-endpoints: |
             github.com:443
 
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create artifact file
         run: |
@@ -28,7 +33,7 @@ jobs:
 
       - name: Upload artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: my-artifact
           path: output.txt
@@ -39,14 +44,19 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: h0x0er/harden-runner@int
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Harden the runner (Audit all outbound calls)
+        uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int
         with:
           egress-policy: block
           allowed-endpoints: |
             github.com:443
 
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: my-artifact