From 251c9b8cf51bb996e34277b95acd92ed6003907b Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 30 Oct 2025 17:35:22 +0000 Subject: [PATCH 1/7] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/commit-lint.yml | 12 ++++++++++-- .github/workflows/npm-publish.yml | 22 ++++++++++++++++------ .github/workflows/pull_request_checks.yml | 9 +++++++-- 3 files changed, 33 insertions(+), 10 deletions(-) diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index c17dec1..25c363e 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -4,15 +4,23 @@ on: pull_request: branches: [master] +permissions: + contents: read + jobs: commit_lint: name: "Lint commit messages" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 - run: yarn install --frozen-lockfile diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index c947caa..743ae6f 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -13,8 +13,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 - run: yarn install --frozen-lockfile @@ -24,8 +29,13 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 16 registry-url: https://registry.npmjs.com/ @@ -33,13 +43,13 @@ jobs: - run: yarn run build - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: aws-region: us-east-1 role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role - name: Read secrets from AWS Secrets Manager into environment variables - uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5 + uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5 with: secret-ids: | /prod/circle-nodejs-sdk/npm/automation-token diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml index f886c33..2ceabd4 100644 --- a/.github/workflows/pull_request_checks.yml +++ b/.github/workflows/pull_request_checks.yml @@ -9,8 +9,13 @@ jobs: name: "Lint, Build and Test" runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 - name: Installing dependencies run: yarn install --frozen-lockfile - name: Prettier check From ab47e8aaef4e0315e06817692ceb5944a0eb9544 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:56 -0500 Subject: [PATCH 2/7] Update harden-runner egress-policy from audit to block --- .github/workflows/commit-lint.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index 25c363e..f5a8199 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -12,10 +12,11 @@ jobs: name: "Lint commit messages" runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: From d8fdf3a2c5d7cbc56525b50864f33822b96220d3 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:24:58 -0500 Subject: [PATCH 3/7] Update harden-runner egress-policy from audit to block --- .github/workflows/npm-publish.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 743ae6f..3231c18 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -13,10 +13,11 @@ jobs: build: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 @@ -29,10 +30,11 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From 4bfcfc8be5e58d6f9ccad6ca556f7bcebbe9e47a Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:25:00 -0500 Subject: [PATCH 4/7] Update harden-runner egress-policy from audit to block --- .github/workflows/pull_request_checks.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml index 2ceabd4..4a5eac4 100644 --- a/.github/workflows/pull_request_checks.yml +++ b/.github/workflows/pull_request_checks.yml @@ -9,10 +9,11 @@ jobs: name: "Lint, Build and Test" runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 From 44c508d20ed8408dc908b93b99a6483bd4f61ecc Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:49 -0500 Subject: [PATCH 5/7] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/commit-lint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/commit-lint.yml b/.github/workflows/commit-lint.yml index f5a8199..41b53b3 100644 --- a/.github/workflows/commit-lint.yml +++ b/.github/workflows/commit-lint.yml @@ -11,6 +11,9 @@ jobs: commit_lint: name: "Lint commit messages" runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From c0a755d10a28d53a3b7019006557ff9bc620c9c7 Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:50 -0500 Subject: [PATCH 6/7] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/npm-publish.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 3231c18..7fe92d3 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -12,6 +12,9 @@ permissions: jobs: build: runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 @@ -29,6 +32,9 @@ jobs: publish-npm: needs: build runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 From 99bd94adab09accbccc5b885fe7fa6a9310c956f Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Tue, 4 Nov 2025 12:46:52 -0500 Subject: [PATCH 7/7] Update harden-runner: egress-policy to block and add id-token permission --- .github/workflows/pull_request_checks.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pull_request_checks.yml b/.github/workflows/pull_request_checks.yml index 4a5eac4..9277b05 100644 --- a/.github/workflows/pull_request_checks.yml +++ b/.github/workflows/pull_request_checks.yml @@ -8,6 +8,9 @@ jobs: lint: name: "Lint, Build and Test" runs-on: ubuntu-latest + permissions: + id-token: write + steps: - name: Harden the runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1