From 01bd4338476efc221994501afcadda856eadc116 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 06:08:54 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/create-release-pr.yml | 7 +- .github/workflows/docs.yml | 13 ++- .github/workflows/main.yml | 117 ++++++++++++++++-------- .github/workflows/release.yml | 26 +++++- .github/workflows/tag-release.yml | 5 + 5 files changed, 124 insertions(+), 44 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 44076609b..9041bc8bd 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -35,12 +35,17 @@ jobs: contents: write issues: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Install Rust deps - - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7 + - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 - uses: taiki-e/cache-cargo-install-action@4d586f211d9b0bca9e7b59e57e2a0febf36c0929 # v2.1.1 with: tool: just diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 04aa96c4a..9eed1026d 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -13,14 +13,19 @@ jobs: concurrency: group: ${{ github.workflow }}-${{ github.ref }} steps: - - uses: actions/checkout@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup mdBook - uses: peaceiris/actions-mdbook@v1 + uses: peaceiris/actions-mdbook@adeb05db28a0c0004681db83893d56c0388ea9ea # v1.2.0 with: mdbook-version: '0.4.43' - - uses: taiki-e/install-action@v2 + - uses: taiki-e/install-action@bfadeaba214680fb4ab63e710bcb2a6a17019fdc # v2.70.4 with: tool: >- mdbook-alerts@0.7.0, @@ -29,7 +34,7 @@ jobs: - run: mdbook build docs - name: Deploy - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 if: ${{ github.ref == 'refs/heads/main' }} with: github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 033a529a5..be5953084 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,20 +19,25 @@ jobs: name: Jco Build runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: "latest" - name: Install Rust run: rustup update stable --no-self-update - - uses: Swatinem/rust-cache@v2 + - uses: step-security/rust-cache@9be15b830520fab0ec3939586e917e4855cf76bd # v2.8.3 with: shared-key: jco-${{ hashFiles('Cargo.lock') }} - name: Cache npm install id: cache-node-modules - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -43,7 +48,7 @@ jobs: - name: Build run: npm run build - name: Upload Jco Build - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: jco-build path: obj @@ -80,8 +85,13 @@ jobs: needs: - build steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.node }} @@ -97,7 +107,7 @@ jobs: # Use cached weval bin if present - name: Cache weval bin id: cache-weval-bin - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: .weval-bin key: weval-bin-${{ steps.weval-meta.outputs.version }}-${{ matrix.os }} @@ -122,7 +132,7 @@ jobs: - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -133,7 +143,7 @@ jobs: - name: Cache puppeteer install id: cache-puppeteer - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: puppeteer-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -144,7 +154,7 @@ jobs: npx puppeteer browsers install chrome - name: Download Build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: jco-build path: obj @@ -167,12 +177,17 @@ jobs: outputs: cache-key: ${{ steps.cache-wasi-tests.outputs.cache-primary-key }} steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: submodules: recursive - name: Cache WASI Tests id: cache-wasi-tests - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: tests/gen key: wasi-${{ hashFiles('xtask/src/generate/preview2_tests.rs', 'submodules/wasmtime/Cargo.lock') }} @@ -192,7 +207,7 @@ jobs: if: steps.cache-wasi-tests.outputs.cache-hit != 'true' run: cargo xtask generate preview2-tests - name: Upload Generated WASI Tests - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: wasi-tests path: tests/gen @@ -204,18 +219,23 @@ jobs: - build - build-wasi-tests steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: "latest" - - uses: denoland/setup-deno@v1 + - uses: denoland/setup-deno@11b63cf76cfcafb4e43f97b6cad24d8e8438f62d # v1.5.2 with: deno-version: v1.x - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -224,13 +244,13 @@ jobs: run: npm install - name: Download Build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: jco-build path: obj - name: Download WASI Tests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: wasi-tests path: tests/gen @@ -265,14 +285,19 @@ jobs: - build - build-wasi-tests steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.node }} - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -281,12 +306,12 @@ jobs: run: npm install - name: Download Build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: jco-build path: obj - name: Download WASI Tests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: wasi-tests path: tests/gen @@ -297,11 +322,16 @@ jobs: name: Test Preview2 Shims runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -316,11 +346,16 @@ jobs: name: ESLint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | @@ -335,7 +370,12 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Rust run: rustup update stable && rustup default stable && rustup component add rustfmt - name: Remove tests mod @@ -371,12 +411,17 @@ jobs: - name: http-hello-world workspace: examples/components/http-hello-world steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.node.version }} - name: Download Build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: jco-build path: obj @@ -387,13 +432,13 @@ jobs: - name: Install required rust crates if: ${{ matrix.project.requires-crates != '[]' }} - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@bfadeaba214680fb4ab63e710bcb2a6a17019fdc # v2.70.4 with: tool: ${{ join(matrix.project.requires-crates, ',') }} - name: Install wac if: ${{ matrix.project.is-composed }} - uses: jaxxstorm/action-install-gh-release@v1 + uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 with: repo: bytecodealliance/wac tag: v${{ matrix.wac.version }} @@ -403,7 +448,7 @@ jobs: - name: Cache npm install id: cache-npm - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: node-modules-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('package.json') }} path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index da6585714..61a4e2dcf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,6 +54,11 @@ jobs: artifact-name: ${{ steps.project-meta.outputs.artifact-name }} next-release-tag: ${{ steps.project-meta.outputs.next-release-tag }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: taiki-e/cache-cargo-install-action@4d586f211d9b0bca9e7b59e57e2a0febf36c0929 # v2.1.1 @@ -139,6 +144,11 @@ jobs: id-token: write attestations: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -153,7 +163,7 @@ jobs: run: | cargo package - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-path: ${{ needs.meta.outputs.artifacts-glob }} @@ -173,6 +183,11 @@ jobs: id-token: write attestations: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -182,7 +197,7 @@ jobs: run: | npm pack - - uses: actions/attest-build-provenance@v1 + - uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-path: ${{ needs.meta.outputs.artifacts-glob }} @@ -201,6 +216,11 @@ jobs: - pack-crate-release - pack-npm-release steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 @@ -227,7 +247,7 @@ jobs: path: artifacts - name: Create GH release - uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 + uses: step-security/action-gh-release@dc29ef0d1f6f9a032a97ec797d9cb7ea788dde41 # v2.6.1 with: token: ${{ secrets.RELEASE_PAT || github.token }} prerelease: ${{ startsWith(github.ref, 'refs/heads/prep-release') }} diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml index 59f806c11..42fc22015 100644 --- a/.github/workflows/tag-release.yml +++ b/.github/workflows/tag-release.yml @@ -44,6 +44,11 @@ jobs: permissions: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0