diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 84833809..a7284db4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,11 +23,16 @@ jobs: language: [ cpp ] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 with: languages: ${{ matrix.language }} queries: +security-and-quality @@ -38,6 +43,6 @@ jobs: cmake --build build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3.35.1 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/esp_upload_component.yml b/.github/workflows/esp_upload_component.yml index 00b7a662..8627550d 100644 --- a/.github/workflows/esp_upload_component.yml +++ b/.github/workflows/esp_upload_component.yml @@ -9,9 +9,14 @@ jobs: upload_components: runs-on: ubuntu-latest steps: - - uses: actions/checkout@main + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + + - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # main - name: Upload component to component service - uses: espressif/upload-components-ci-action@v1 + uses: espressif/upload-components-ci-action@b78a19fa5424714997596d3ecffa634aef8ae20b # v1.0.5 with: name: "libsmb2" namespace: "sahlberg"