Skip to content
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/add-to-project.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@ jobs:
name: auto-add-new-issue-to-project
deployment: false
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Add issue to project
id: add-project
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/auto-approve.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ jobs:
github.event.sender.login == 'oep-renovate[bot]'
}}
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Capture Commit SHA
id: capture_sha
run: |
Expand All @@ -49,6 +55,8 @@ jobs:
deployment: false
runs-on: ubuntu-latest
steps:
- *harden-runner

- name: Debug
env:
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/backend-lint-and-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@ jobs:
outputs:
run_workflow: ${{ steps.check_paths.outputs.run }}
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- &checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -56,6 +62,8 @@ jobs:
permissions:
contents: read # to checkout code
steps:
- *harden-runner
Comment thread
ivanzati marked this conversation as resolved.
Outdated

- *checkout

- name: Install Python, uv and Just
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,14 @@ jobs:
outputs:
run_workflow: ${{ steps.check_paths.outputs.run }}
steps:
- name: Checkout repository
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- &checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
Expand Down Expand Up @@ -56,10 +63,9 @@ jobs:
pull-requests: write # Post image size comments on PRs
id-token: write # Use OIDC token to sign images
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- *harden-runner

- *checkout

- name: Read application version
id: version
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ jobs:
run_actions: "${{ steps.prepare_outputs.outputs.run_actions }}"
run_rust: "${{ steps.prepare_outputs.outputs.run_rust }}"
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- &checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -102,6 +108,8 @@ jobs:
run: ${{ needs.check_paths.outputs.run_rust || 'true' }}

steps:
- *harden-runner

- *checkout

# Initializes the CodeQL tools for scanning.
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,12 @@ jobs:
outputs:
version: ${{ steps.version.outputs.value }}
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down Expand Up @@ -89,6 +95,8 @@ jobs:
outputs:
issue_exists: ${{ steps.check.outputs.issue_exists }}
steps:
- *harden-runner

- name: Check for existing open issue
id: check
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
Expand Down Expand Up @@ -134,6 +142,8 @@ jobs:
permissions:
issues: write # Permission to create issues
steps:
- *harden-runner

- name: Create GitHub Issue
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/dependency-review.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,11 @@ jobs:
permissions:
contents: read
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/labeler.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,9 @@ jobs:
pull-requests: write
runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }}
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
18 changes: 18 additions & 0 deletions .github/workflows/lib-lint-and-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ jobs:
outputs:
run_workflow: ${{ steps.check_paths.outputs.run }}
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- &checkout
name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand All @@ -50,6 +56,8 @@ jobs:
permissions:
contents: read
steps:
- *harden-runner

- *checkout

- name: Install Python, uv and Just
Expand Down Expand Up @@ -85,6 +93,11 @@ jobs:
name: unit-tests-with-Python${{ matrix.python-version }}
steps:
# YAML anchors not used cause currently zizmor don't support them in matrix strategies
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down Expand Up @@ -143,6 +156,11 @@ jobs:
name: integration-tests-${{ matrix.task }}-py${{ matrix.python-version }}
steps:
# YAML anchors aren't used because Zizmor fails here and support for them is best-effort for now
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/npm-audit-fix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ jobs:
contents: read # to checkout code

steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/publish.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ jobs:
contents: write # required by svenstaro/upload-release-action
id-token: write # required by trusted publisher
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/remove-stale-branches.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ jobs:
actions: read # Required to read branch activity
pull-requests: read # Required to check if a branch has an open PR
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- uses: fpicalausa/remove-stale-branches@7c4f2afe88a36c0f9114cd958380979b9d7323fb # v2.4.0
with:
dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run || 'false' }}
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/renovate-config-validator.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
permissions:
contents: read
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout configuration
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/renovate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ jobs:
runs-on: ${{ github.repository_owner == 'open-edge-platform' && 'overflow' || 'ubuntu-latest' }}

steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/scorecard.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ jobs:
id-token: write

steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
17 changes: 17 additions & 0 deletions .github/workflows/security-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ jobs:
contents: read
security-events: write # Needed to upload the results to code-scanning dashboard
steps:
- &harden-runner
name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- &checkout
name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand All @@ -59,6 +65,8 @@ jobs:
contents: read
security-events: write # Needed to upload the results to code-scanning dashboard
steps:
- *harden-runner

- *checkout

- name: Run Bandit scan
Expand All @@ -77,6 +85,8 @@ jobs:
contents: read
security-events: write # Needed to upload the results to code-scanning dashboard
steps:
- *harden-runner

- *checkout

- name: Run Trivy scan
Expand All @@ -100,6 +110,8 @@ jobs:
matrix:
ai-device: [cpu]
steps:
- *harden-runner

- name: Runner cleanup
uses: open-edge-platform/geti-ci/actions/cleanup-runner@7e686c1248b3939f8ee8e04e2612da727e379d91
with:
Expand Down Expand Up @@ -240,6 +252,11 @@ jobs:
matrix:
ai-device: [cpu, cuda, xpu]
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- name: Run container image scan (${{ matrix.ai-device }})
uses: open-edge-platform/geti-ci/actions/trivy@7e686c1248b3939f8ee8e04e2612da727e379d91
with:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/stale_marker.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ jobs:
issues: write
pull-requests: write
steps:
- name: Harden the runner (audit all outbound calls)
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit

- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
stale-issue-message: "This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days."
Expand Down
Loading
Loading