.github/workflows/commit-lint.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -4,15 +4,26 @@ on: @@
       pull_request:
         branches: [master]
+    permissions:
+      contents: read
     jobs:
       commit_lint:
         name: "Lint commit messages"
         runs-on: ubuntu-latest
+        permissions:
+          id-token: write
         steps:
-          - uses: actions/checkout@v4
+          - name: Harden the runner
+            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+            with:
+              egress-policy: block
+              policy: global-allowed-endpoints-policy
+          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
             with:
               fetch-depth: 0
-          - uses: actions/setup-node@v4
+          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
             with:
               node-version: 16
           - run: yarn install --frozen-lockfile
@@ Expand Down @@

.github/workflows/npm-publish.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -13,8 +13,14 @@ jobs:
  
      build:

        runs-on: ubuntu-latest

        steps:

          - uses: actions/checkout@v4

          - uses: actions/setup-node@v4

          - name: Harden the runner

            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2

            with:

              egress-policy: block

              policy: global-allowed-endpoints-policy

          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

            with:

              node-version: 16

          - run: yarn install --frozen-lockfile

    @@ -23,23 +29,31 @@ jobs:
  
      publish-npm:

        needs: build

        runs-on: ubuntu-latest

        permissions:

          id-token: write

        steps:

          - uses: actions/checkout@v4

          - uses: actions/setup-node@v4

          - name: Harden the runner

            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2

            with:

              egress-policy: block

              policy: global-allowed-endpoints-policy

          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

            with:

              node-version: 16

              registry-url: https://registry.npmjs.com/

          - run: yarn install --frozen-lockfile

          - run: yarn run build

          - name: Configure AWS Credentials

            uses: aws-actions/configure-aws-credentials@v4

            uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1

            with:

              aws-region: us-east-1

              role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID_PAY }}:role/github-actions-service-role

          - name: Read secrets from AWS Secrets Manager into environment variables

            uses: aws-actions/aws-secretsmanager-get-secrets@v2.0.5

            uses: aws-actions/aws-secretsmanager-get-secrets@98c2d6bf1dd67c2575fa2bb14294aa64103d426c # v2.0.5

            with:

              secret-ids: |

                /prod/circle-nodejs-sdk/npm/automation-token

.github/workflows/pull_request_checks.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,9 +8,17 @@ jobs: @@
       lint:
         name: "Lint, Build and Test"
         runs-on: ubuntu-latest
+        permissions:
+          id-token: write
         steps:
-          - uses: actions/checkout@v4
-          - uses: actions/setup-node@v4
+          - name: Harden the runner
+            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+            with:
+              egress-policy: block
+              policy: global-allowed-endpoints-policy
+          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
           - name: Installing dependencies
             run: yarn install --frozen-lockfile
           - name: Prettier check
@@ Expand Down @@

chore: apply security best practices and onboard stepsecurity #131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

ali-kafel merged 2 commits into master from add-step-security

Nov 6, 2025

-Original file line number
+Diff line change
@@ Expand Up / @@ -4,15 +4,26 @@ on: @@
       pull_request:
         branches: [master]
+    permissions:
+      contents: read
     jobs:
       commit_lint:
         name: "Lint commit messages"
         runs-on: ubuntu-latest
+        permissions:
+          id-token: write
         steps:
-          - uses: actions/checkout@v4
+          - name: Harden the runner
+            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+            with:
+              egress-policy: block
+              policy: global-allowed-endpoints-policy
+          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
             with:
               fetch-depth: 0
-          - uses: actions/setup-node@v4
+          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
             with:
               node-version: 16
           - run: yarn install --frozen-lockfile
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,9 +8,17 @@ jobs: @@
       lint:
         name: "Lint, Build and Test"
         runs-on: ubuntu-latest
+        permissions:
+          id-token: write
         steps:
-          - uses: actions/checkout@v4
-          - uses: actions/setup-node@v4
+          - name: Harden the runner
+            uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+            with:
+              egress-policy: block
+              policy: global-allowed-endpoints-policy
+          - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+          - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
           - name: Installing dependencies
             run: yarn install --frozen-lockfile
           - name: Prettier check
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: apply security best practices and onboard stepsecurity #131

Uh oh!

Diff view

Diff view

There are no files selected for viewing