From 16d05e49bfe5a048cfb40c92358625d52d7ff2e9 Mon Sep 17 00:00:00 2001
From: Jed Salazar <jedsalazar@gmail.com>
Date: Tue, 12 Mar 2024 11:36:41 -0600
Subject: [PATCH] Add Harden Runner audit configs

Signed-off-by: Jed Salazar <jedsalazar@gmail.com>
---
 .github/workflows/build-samples.yml | 18 ++++++++++++++++++
 .github/workflows/build.yaml        |  4 ++++
 .github/workflows/codeql.yaml       |  4 ++++
 .github/workflows/release.yaml      |  3 +++
 4 files changed, 29 insertions(+)

diff --git a/.github/workflows/build-samples.yml b/.github/workflows/build-samples.yml
index 9245e3cfe..bd4e78d97 100644
--- a/.github/workflows/build-samples.yml
+++ b/.github/workflows/build-samples.yml
@@ -22,6 +22,9 @@ jobs:
         arch: [x86_64, "386", armv7, aarch64, riscv64, s390x, ppc64le]
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
@@ -55,6 +58,9 @@ jobs:
       contents: read
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
@@ -86,6 +92,9 @@ jobs:
     runs-on: ${{ matrix.platform }}
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
@@ -105,6 +114,9 @@ jobs:
       contents: read
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
@@ -140,6 +152,9 @@ jobs:
       contents: read
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
@@ -175,6 +190,9 @@ jobs:
       contents: read
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
         with:
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 7e897e601..8f4596333 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -15,6 +15,10 @@ jobs:
       contents: read
 
     steps:
+      - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.1.5
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index cc0938f1b..c65a0daa2 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -17,6 +17,10 @@ jobs:
       contents: read
 
     steps:
+    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
 
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v3.0.0
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2513138e8..f2f506760 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -23,6 +23,9 @@ jobs:
       contents: write
 
     steps:
+    - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
     - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v2.2.0
       with: