diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 40ec3f589f8..ed05548468c 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -14,6 +14,11 @@ jobs: name: auto-add-new-issue-to-project deployment: false steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Add issue to project id: add-project uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2 diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index cbbf9135e56..fb8f6812b26 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -23,6 +23,12 @@ jobs: github.event.sender.login == 'oep-renovate[bot]' }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Capture Commit SHA id: capture_sha run: | @@ -49,6 +55,8 @@ jobs: deployment: false runs-on: ubuntu-latest steps: + - *harden-runner + - name: Debug env: PR_AUTHOR: ${{ github.event.pull_request.user.login }} diff --git a/.github/workflows/backend-lint-and-test.yaml b/.github/workflows/backend-lint-and-test.yaml index 8da682c4669..36503376d4f 100644 --- a/.github/workflows/backend-lint-and-test.yaml +++ b/.github/workflows/backend-lint-and-test.yaml @@ -27,6 +27,12 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -56,6 +62,12 @@ jobs: permissions: contents: read # to checkout code steps: + - name: Harden the runner (audit all outbound calls) + if: matrix.os == 'ubuntu' + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - *checkout - name: Install Python, uv and Just diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 772a0327e47..a65ca26f4c6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -30,7 +30,14 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: - - name: Checkout repository + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - &checkout + name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: persist-credentials: false @@ -61,10 +68,10 @@ jobs: pull-requests: write # Post image size comments on PRs id-token: write # Use OIDC token to sign images steps: - - name: Checkout repository - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 - with: - persist-credentials: false + - *harden-runner + + - *checkout + - name: Read application version id: version diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 0f0655beede..691602ae545 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -25,6 +25,12 @@ jobs: run_actions: "${{ steps.prepare_outputs.outputs.run_actions }}" run_rust: "${{ steps.prepare_outputs.outputs.run_rust }}" steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -102,6 +108,8 @@ jobs: run: ${{ needs.check_paths.outputs.run_rust || 'true' }} steps: + - *harden-runner + - *checkout # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml index d504c282347..46de0a5f5e8 100644 --- a/.github/workflows/daily.yml +++ b/.github/workflows/daily.yml @@ -70,6 +70,12 @@ jobs: outputs: issue_exists: ${{ steps.check.outputs.issue_exists }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Check for existing open issue id: check uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 @@ -115,6 +121,8 @@ jobs: permissions: issues: write # Permission to create issues steps: + - *harden-runner + - name: Create GitHub Issue uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml index 617bdb28d6b..eebb462633a 100644 --- a/.github/workflows/dependency-review.yaml +++ b/.github/workflows/dependency-review.yaml @@ -11,6 +11,11 @@ jobs: contents: read pull-requests: write # comment PR on failure steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: "Checkout Repository" uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/labeler.yaml b/.github/workflows/labeler.yaml index d3b4a5f70a6..e2a4da3d0d2 100644 --- a/.github/workflows/labeler.yaml +++ b/.github/workflows/labeler.yaml @@ -17,4 +17,9 @@ jobs: pull-requests: write runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }} steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 diff --git a/.github/workflows/lib-lint-and-test.yaml b/.github/workflows/lib-lint-and-test.yaml index 128d820e0b2..919016c764e 100644 --- a/.github/workflows/lib-lint-and-test.yaml +++ b/.github/workflows/lib-lint-and-test.yaml @@ -29,6 +29,12 @@ jobs: run_workflow: ${{ steps.check_paths.outputs.run }} run_benchmark_dataset_scripts: ${{ steps.check_benchmark_dataset_scripts.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -62,6 +68,8 @@ jobs: permissions: contents: read steps: + - *harden-runner + - *checkout - name: Install Python, uv and Just @@ -97,6 +105,11 @@ jobs: name: unit-tests-with-Python${{ matrix.python-version }} steps: # YAML anchors not used cause currently zizmor don't support them in matrix strategies + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: @@ -155,6 +168,11 @@ jobs: name: integration-tests-${{ matrix.task }}-py${{ matrix.python-version }} steps: # YAML anchors aren't used because Zizmor fails here and support for them is best-effort for now + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/npm-audit-fix.yml b/.github/workflows/npm-audit-fix.yml index 90774fd7fb4..8692f9bc985 100644 --- a/.github/workflows/npm-audit-fix.yml +++ b/.github/workflows/npm-audit-fix.yml @@ -19,6 +19,11 @@ jobs: contents: read # to checkout code steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f8998831ef1..717fcc13feb 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -16,6 +16,11 @@ jobs: contents: write # required by svenstaro/upload-release-action id-token: write # required by trusted publisher steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/remove-stale-branches.yaml b/.github/workflows/remove-stale-branches.yaml index aba2ad3ea64..8b61bcb135e 100644 --- a/.github/workflows/remove-stale-branches.yaml +++ b/.github/workflows/remove-stale-branches.yaml @@ -26,6 +26,11 @@ jobs: actions: read # Required to read branch activity pull-requests: read # Required to check if a branch has an open PR steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: fpicalausa/remove-stale-branches@9b829bc2975ade0c61e64e9613def53ec0732440 # v2.6.1 with: dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run || 'false' }} diff --git a/.github/workflows/renovate-config-validator.yml b/.github/workflows/renovate-config-validator.yml index 3e85987fe5b..10a789ba46e 100644 --- a/.github/workflows/renovate-config-validator.yml +++ b/.github/workflows/renovate-config-validator.yml @@ -29,6 +29,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout configuration uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 9192afeb1a0..ff3cd52be0a 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -59,6 +59,11 @@ jobs: runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }} steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index d50decc84f6..c0ff1a5169b 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -21,6 +21,11 @@ jobs: id-token: write steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 64740107391..adfa6ce555c 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -39,6 +39,12 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -59,6 +65,8 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - *harden-runner + - *checkout - name: Run Bandit scan @@ -77,6 +85,8 @@ jobs: contents: read security-events: write # Needed to upload the results to code-scanning dashboard steps: + - *harden-runner + - *checkout - name: Run Trivy scan @@ -100,6 +110,8 @@ jobs: matrix: ai-device: [cpu] steps: + - *harden-runner + - name: Runner cleanup uses: open-edge-platform/geti-ci/actions/cleanup-runner@7e686c1248b3939f8ee8e04e2612da727e379d91 with: @@ -240,6 +252,11 @@ jobs: matrix: ai-device: [cpu, cuda, xpu] steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - name: Run container image scan (${{ matrix.ai-device }}) uses: open-edge-platform/geti-ci/actions/trivy@7e686c1248b3939f8ee8e04e2612da727e379d91 with: diff --git a/.github/workflows/stale_marker.yaml b/.github/workflows/stale_marker.yaml index d35554a1171..2c5cc1c8c33 100644 --- a/.github/workflows/stale_marker.yaml +++ b/.github/workflows/stale_marker.yaml @@ -13,6 +13,11 @@ jobs: issues: write pull-requests: write steps: + - name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 with: stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days." diff --git a/.github/workflows/ui-lint-and-test.yaml b/.github/workflows/ui-lint-and-test.yaml index 1ab015f9d21..4e58b4b87d9 100644 --- a/.github/workflows/ui-lint-and-test.yaml +++ b/.github/workflows/ui-lint-and-test.yaml @@ -30,6 +30,12 @@ jobs: outputs: run_workflow: ${{ steps.check_paths.outputs.run }} steps: + - &harden-runner + name: Harden the runner (audit all outbound calls) + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + - &checkout name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 @@ -55,6 +61,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - name: Install Python, uv and Just @@ -86,6 +94,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - &setup-node @@ -126,6 +136,8 @@ jobs: permissions: contents: read # to checkout code steps: + - *harden-runner + - *checkout - *setup-node @@ -172,6 +184,8 @@ jobs: contents: read pull-requests: write steps: + - *harden-runner + - *checkout - *setup-node @@ -268,6 +282,8 @@ jobs: container: image: mcr.microsoft.com/playwright:v1.57.0-jammy@sha256:6aca677c27a967caf7673d108ac67ffaf8fed134f27e17b27a05464ca0ace831 steps: + # This job is running in a container. Such jobs can be monitored by installing Harden Runner in a custom VM image for GitHub-hosted runners. + - *checkout - *setup-node