From 88f474c296bc584ec5bc9df3abd94799c82ec70b Mon Sep 17 00:00:00 2001
From: Joshua Rich <joshua.rich@gmail.com>
Date: Fri, 27 Sep 2024 15:22:14 +1000
Subject: [PATCH] ci(github): :wrench: harden analysis workflow and fix nilaway
 action to install go

---
 .github/workflows/analysis.yml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
index 2c5ee34c0..2c23ae7ef 100644
--- a/.github/workflows/analysis.yml
+++ b/.github/workflows/analysis.yml
@@ -33,7 +33,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          github.com:443
     - name: Checkout repository
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
@@ -69,11 +72,19 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v1
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          github.com:443
     - name: Checkout repository
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       with:
         fetch-depth: 0
+    - name: Setup Go
+      id: setup_go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
+      with:
+        go-version-file: 'go.mod'
     - name: Nil panic checks
       uses: qbaware/nilaway-action@8e71d29f098051670655958e754d21ebb7197416 # v0.0.9
       with: