Skip to content

Commit 394851e

Browse files
step-security-botstep-security-bot
authored
[StepSecurity] ci: Harden GitHub Actions (#40)
1 parent 1f21e79 commit 394851e

File tree

1 file changed

+38
-18
lines changed

1 file changed

+38
-18
lines changed

.github/workflows/ci.yml

+38-18
Original file line numberDiff line numberDiff line change
@@ -19,31 +19,41 @@ jobs:
1919
name: rustfmt
2020
runs-on: ubuntu-latest
2121
steps:
22-
- uses: actions/checkout@v4
23-
- uses: sfackler/actions/rustup@master
24-
- uses: sfackler/actions/rustfmt@master
22+
- name: Harden the runner (Audit all outbound calls)
23+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
24+
with:
25+
egress-policy: audit
26+
27+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
28+
- uses: sfackler/actions/rustup@55af96fecc6b2ff28431120e3d9b723e5c1bccbf # master
29+
- uses: sfackler/actions/rustfmt@55af96fecc6b2ff28431120e3d9b723e5c1bccbf # master
2530

2631
clippy:
2732
name: clippy
2833
runs-on: ubuntu-latest
2934
steps:
30-
- uses: actions/checkout@v4
31-
- uses: sfackler/actions/rustup@master
35+
- name: Harden the runner (Audit all outbound calls)
36+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
37+
with:
38+
egress-policy: audit
39+
40+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
41+
- uses: sfackler/actions/rustup@55af96fecc6b2ff28431120e3d9b723e5c1bccbf # master
3242
- run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
3343
id: rust-version
34-
- uses: actions/cache@v4
44+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
3545
with:
3646
path: ~/.cargo/registry/index
3747
key: index-${{ runner.os }}-${{ github.run_number }}
3848
restore-keys: |
3949
index-${{ runner.os }}-
4050
- run: cargo generate-lockfile
41-
- uses: actions/cache@v4
51+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
4252
with:
4353
path: ~/.cargo/registry/cache
4454
key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
4555
- run: cargo fetch
46-
- uses: actions/cache@v4
56+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
4757
with:
4858
path: target
4959
key: clippy-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}y
@@ -53,24 +63,29 @@ jobs:
5363
name: check-wasm32
5464
runs-on: ubuntu-latest
5565
steps:
56-
- uses: actions/checkout@v3
57-
- uses: sfackler/actions/rustup@master
66+
- name: Harden the runner (Audit all outbound calls)
67+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
68+
with:
69+
egress-policy: audit
70+
71+
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
72+
- uses: sfackler/actions/rustup@55af96fecc6b2ff28431120e3d9b723e5c1bccbf # master
5873
- run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
5974
id: rust-version
6075
- run: rustup target add wasm32-unknown-unknown
61-
- uses: actions/cache@v3
76+
- uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3
6277
with:
6378
path: ~/.cargo/registry/index
6479
key: index-${{ runner.os }}-${{ github.run_number }}
6580
restore-keys: |
6681
index-${{ runner.os }}-
6782
- run: cargo generate-lockfile
68-
- uses: actions/cache@v3
83+
- uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3
6984
with:
7085
path: ~/.cargo/registry/cache
7186
key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
7287
- run: cargo fetch
73-
- uses: actions/cache@v3
88+
- uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3
7489
with:
7590
path: target
7691
key: check-wasm32-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
@@ -80,26 +95,31 @@ jobs:
8095
name: test
8196
runs-on: ubuntu-latest
8297
steps:
83-
- uses: actions/checkout@v4
98+
- name: Harden the runner (Audit all outbound calls)
99+
uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
100+
with:
101+
egress-policy: audit
102+
103+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
84104
- run: docker compose up -d
85-
- uses: sfackler/actions/rustup@master
105+
- uses: sfackler/actions/rustup@55af96fecc6b2ff28431120e3d9b723e5c1bccbf # master
86106
with:
87107
version: 1.83.0
88108
- run: echo "version=$(rustc --version)" >> $GITHUB_OUTPUT
89109
id: rust-version
90-
- uses: actions/cache@v4
110+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
91111
with:
92112
path: ~/.cargo/registry/index
93113
key: index-${{ runner.os }}-${{ github.run_number }}
94114
restore-keys: |
95115
index-${{ runner.os }}-
96116
- run: cargo generate-lockfile
97-
- uses: actions/cache@v4
117+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
98118
with:
99119
path: ~/.cargo/registry/cache
100120
key: registry-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}
101121
- run: cargo fetch
102-
- uses: actions/cache@v4
122+
- uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
103123
with:
104124
path: target
105125
key: test-target-${{ runner.os }}-${{ steps.rust-version.outputs.version }}-${{ hashFiles('Cargo.lock') }}y

0 commit comments

Comments
 (0)