Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: Harden GitHub Actions #1207

Closed
wants to merge 1 commit into from
Closed

security: Harden GitHub Actions #1207

wants to merge 1 commit into from

Conversation

step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Jan 16, 2025
edited by areyou1or0
Loading

Summary

I'm onboarding our new CI/CD security tool: HardenRunner. A few lines are added to certain workflow files to enable the scanners.

It will scan for anomalies on the CI/CD side without making any changes (unless manually requested).

fixes https://github.com/neondatabase/cloud/issues/21253

bayandin
bayandin reviewed Jan 16, 2025
View reviewed changes
.github/workflows/pr-format-verification.yml
@@ -24,6 +24,11 @@ jobs:
if: github.actor != 'dependabot[bot]'
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
Copy link
Member

@bayandin bayandin Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that some of new steps are pinned to a git tag, and some to a commit hash. It is possible to pin everything to a commit hash?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are auto-generated by StepSecurity, I haven't changed them.

@areyou1or0 areyou1or0 changed the title [StepSecurity] ci: Harden GitHub Actions security: Harden GitHub Actions Jan 22, 2025
@sharnoff sharnoff self-assigned this Jan 22, 2025
@areyou1or0
Copy link

closing this one for now.

@areyou1or0 areyou1or0 closed this Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bayandin bayandin bayandin left review comments

@areyou1or0 areyou1or0 areyou1or0 left review comments

@sharnoff sharnoff Awaiting requested review from sharnoff

Assignees

@sharnoff sharnoff

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@step-security-bot @areyou1or0 @bayandin @sharnoff