From 470cace644e7576bde2508d4506e21b0c9e66735 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 21 Dec 2023 04:53:56 +0000 Subject: [PATCH] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/lint.yml | 14 +++++++++++--- .github/workflows/test.yml | 12 ++++++++++-- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7e48144..43fbbb2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -1,19 +1,27 @@ name: Lint on: [ push, pull_request ] +permissions: + contents: read + jobs: rust: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Rust toolchain run: rustup show && rustup update - name: cargo fmt - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: fmt args: -- --check - name: cargo clippy - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: clippy args: --all-features --tests -- -D warnings diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c150ca2..f3a8257 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,16 +1,24 @@ name: Test on: [ push, pull_request ] +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Rust toolchain run: rustup show && rustup update - name: Build murmurhash3 run: cargo build - name: cargo test - uses: actions-rs/cargo@v1 + uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: test args: --workspace