From 4d7e97069d51127c1a226cc9db6497c9533f9d40 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 8 Apr 2026 04:14:12 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 5 +++++ .github/workflows/codeql.yml | 5 +++++ .../workflows/dependabot-update-openapi-snapshots.yml | 5 +++++ .github/workflows/docs-pages.yml | 10 ++++++++++ .github/workflows/python-tests.yml | 10 ++++++++++ .github/workflows/scorecard.yml | 5 +++++ .github/workflows/stale.yml | 5 +++++ .pre-commit-config.yaml | 10 ++++++++++ 8 files changed, 55 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f09de8b8..6dffcdc1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -52,3 +52,8 @@ updates: - "*" schedule: interval: "monthly" + + - package-ecosystem: docker + directory: /.clusterfuzzlite + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1d2b3e74..79168cf6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -56,6 +56,11 @@ jobs: - analyze runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: diff --git a/.github/workflows/dependabot-update-openapi-snapshots.yml b/.github/workflows/dependabot-update-openapi-snapshots.yml index f4a367dc..e48e2ef4 100644 --- a/.github/workflows/dependabot-update-openapi-snapshots.yml +++ b/.github/workflows/dependabot-update-openapi-snapshots.yml @@ -23,6 +23,11 @@ jobs: environment: name: "dependabot-automation" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Checkout target ref uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/docs-pages.yml b/.github/workflows/docs-pages.yml index 0eeb5091..20e2da2c 100644 --- a/.github/workflows/docs-pages.yml +++ b/.github/workflows/docs-pages.yml @@ -28,6 +28,11 @@ jobs: permissions: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -61,6 +66,11 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/python-tests.yml b/.github/workflows/python-tests.yml index 95cbc7bd..161ba2d1 100644 --- a/.github/workflows/python-tests.yml +++ b/.github/workflows/python-tests.yml @@ -25,6 +25,11 @@ jobs: python-version: ["3.12", "3.13", "3.14"] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -78,6 +83,11 @@ jobs: - build runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Decide whether the needed jobs succeeded or failed uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2 with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 980e5644..0df1e053 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -23,6 +23,11 @@ jobs: contents: read actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 436cdaea..b5a51f14 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -27,6 +27,11 @@ jobs: OPERATIONS_PER_RUN: "200" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: audit + - name: Mark stale issues and pull requests uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7bd3a4d7..dc67a667 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,6 +5,8 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v6.0.0 hooks: + - id: end-of-file-fixer + - id: trailing-whitespace - id: check-merge-conflict - id: check-json # This fixture intentionally includes non-standard JSON numeric literals (NaN/Infinity). @@ -137,3 +139,11 @@ repos: language: system files: \.json$ exclude: *json_nonfinite_exclude + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck + - repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint