Skip to content

chore(stepsecurity): apply security best practices #130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
stepsecurity-app wants to merge 7 commits into from
Closed

chore(stepsecurity): apply security best practices #130

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3540478
[StepSecurity] Apply security best practices
stepsecurity-app[bot] Nov 4, 2025
0757a63
Update harden-runner: egress-policy to block and add id-token permission
ali-kafel Nov 4, 2025
6086b4c
Update harden-runner: egress-policy to block and add id-token permission
ali-kafel Nov 4, 2025
8953501
Update harden-runner: egress-policy to block and add id-token permission
ali-kafel Nov 4, 2025
73edc28
Update harden-runner to v2.13.2: egress-policy to block and add id-to…
ali-kafel Nov 5, 2025
2951fb3
Update harden-runner to v2.13.2: egress-policy to block and add id-to…
ali-kafel Nov 5, 2025
3f5a1ac
Update harden-runner to v2.13.2: egress-policy to block and add id-to…
ali-kafel Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions .github/workflows/commit-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,27 @@ on:
pull_request:
branches: [master]

permissions:
contents: read

jobs:
commit_lint:
name: "Lint commit messages"
runs-on: ubuntu-latest
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
- name: Harden the runner
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: block
policy: global-allowed-endpoints-policy

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
with:
fetch-depth: 0
- uses: actions/setup-node@v4
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 16
- run: yarn install --frozen-lockfile
Expand Down
30 changes: 24 additions & 6 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,18 @@ permissions:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- name: Harden the runner
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: block
policy: global-allowed-endpoints-policy

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 16
- run: yarn install --frozen-lockfile
Expand All @@ -23,23 +32,32 @@ jobs:
publish-npm:
needs: build
runs-on: ubuntu-latest
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- name: Harden the runner
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: block
policy: global-allowed-endpoints-policy

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 16
registry-url: https://registry.npmjs.com/
- run: yarn install --frozen-lockfile
- run: yarn run build

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role

- name: Read secrets from AWS Secrets Manager into environment variables
uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5
uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5
with:
secret-ids: |
/prod/circle-nodejs-sdk/npm/automation-token
Expand Down
13 changes: 11 additions & 2 deletions .github/workflows/pull_request_checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,18 @@ jobs:
lint:
name: "Lint, Build and Test"
runs-on: ubuntu-latest
permissions:
id-token: write

steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- name: Harden the runner
uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
with:
egress-policy: block
policy: global-allowed-endpoints-policy

- uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
- name: Installing dependencies
run: yarn install --frozen-lockfile
- name: Prettier check
Expand Down
Loading