Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider running StepSecurity on your repo #1792

Open
cary-ilm opened this issue Sep 2, 2024 · 0 comments
Open

Consider running StepSecurity on your repo #1792

cary-ilm opened this issue Sep 2, 2024 · 0 comments

Comments

@cary-ilm
Copy link
Member

cary-ilm commented Sep 2, 2024

StepSecurity automatically generates a pull request that adds several hardening measures to your repo. Run it here.

By default, the process will create one composite PR that makes multiple changes. I recommend running it several times to create separate PRs for each feature.

The changes it makes include:

  1. dependabot - registers the repo with a GitHub service that subsequently submits PRs to upgrade to new releases of workflow actions. An example OpenEXR PR is here.
  2. Set workflow permissions to read at the top level, and enable write permissions only on the steps that require it.
  3. Pin workflow releases to explicit SHA values rather than named releases.
  4. Adds a "Harden Runner" step that monitors CI jobs, although note that this does not work with the current release of the ASWF images, don't enable this for any workflow that uses the prebuilt images.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant