From 2ffce721975f757495c51d19e73d7c5c74e7afb4 Mon Sep 17 00:00:00 2001 From: Rafael Winterhalter Date: Mon, 22 Aug 2022 09:20:14 +0200 Subject: [PATCH] Add step security tool. --- .github/workflows/main.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ed77d9eb93a..3c8fb0aad1e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,9 @@ jobs: runs-on: ubuntu-20.04 continue-on-error: true steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -33,6 +36,9 @@ jobs: java: [ 8, 11, 17, 18 ] runs-on: ${{ matrix.os }} steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -51,6 +57,9 @@ jobs: java: [ 8, 11 ] runs-on: ${{ matrix.os }} steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -68,6 +77,9 @@ jobs: java: [ 9, 10, 12, 13, 14, 15, 16 ] runs-on: ubuntu-20.04 steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -86,6 +98,9 @@ jobs: java: [ 8 ] runs-on: ${{ matrix.os }} steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -103,6 +118,9 @@ jobs: java: [ 6, 7 ] runs-on: ubuntu-20.04 steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/cache@0865c47f36e68161719c5b124609996bb5c40129 # v3.0.5 with: @@ -122,6 +140,9 @@ jobs: needs: [ hotspot-ea, hotspot-supported, j9-supported, hotspot-unsupported, hotspot-32, hotspot-legacy ] if: github.event_name == 'push' steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: @@ -139,6 +160,9 @@ jobs: permissions: contents: write steps: + - uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 # V1.4.5 + with: + egress-policy: audit - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - uses: actions/setup-java@2c7a4878f5d120bd643426d54ae1209b29cc01a3 # v3.4.1 with: