From 5292ec8ffc948a0f6b2c4f0dbbcfe2f3aeb30595 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sun, 5 Nov 2023 09:50:10 -0800
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#4923)

## Summary

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@yurishkuro. Please merge the Pull Request to incorporate the requested
changes. Please tag @yurishkuro on your message if you have any
questions related to the PR.
## Security Fixes

### Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make
authenticated calls to the GitHub API. GitHub recommends setting minimum
token permissions for the GITHUB_TOKEN.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions)
### Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)
### Harden Runner

[Harden-Runner](https://github.com/step-security/harden-runner) is an
open-source security agent for the GitHub-hosted runner to prevent
software supply chain attacks. It prevents exfiltration of credentials,
detects tampering of source code during build, and enables running jobs
without `sudo` access.

<details>
<summary>Harden runner usage</summary>

You can find link to view insights and policy recommendation in the
build log

<img
src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true"
width="60%" height="60%">

Please refer to
[documentation](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security)
to find more details.
</details>



## Feedback
For bug reports, feature requests, and general feedback; please email
support@stepsecurity.io. To create such PRs, please visit
https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/ci-label-check.yml                 |  5 +++++
 .github/workflows/ci-release.yml                     |  2 +-
 .github/workflows/ci-validation-of-shell-scripts.yml | 10 +++++++++-
 .github/workflows/scorecard.yml                      |  5 +++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-label-check.yml b/.github/workflows/ci-label-check.yml
index d3897ffb0bf..9ebfff08ba9 100644
--- a/.github/workflows/ci-label-check.yml
+++ b/.github/workflows/ci-label-check.yml
@@ -14,6 +14,11 @@ jobs:
   check-label:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: Check PR author
         id: check_author
         run: echo "::set-output name=is_dependabot::$(echo ${{ github.event.pull_request.user.login }} | grep -o 'dependabot')"
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
index f332b684fa5..b6c68a28f5f 100644
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -63,7 +63,7 @@ jobs:
 
     - name: Configure GPG Key
       id: import_gpg
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
       with:
         gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
         passphrase: ${{ secrets.GPG_PASSPHRASE }}
diff --git a/.github/workflows/ci-validation-of-shell-scripts.yml b/.github/workflows/ci-validation-of-shell-scripts.yml
index d9b6ad33c67..e4fdd821d02 100644
--- a/.github/workflows/ci-validation-of-shell-scripts.yml
+++ b/.github/workflows/ci-validation-of-shell-scripts.yml
@@ -7,13 +7,21 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   validation-of-shell-scripts:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      with:
+        egress-policy: audit
+
     - name: check out code 
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Install shellcheck
       run: sudo apt-get install shellcheck
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 3db3a5b246f..cecd4feb570 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with: