From e3b00e0ca4b349920f455f8d893a770fe96b9ae5 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 24 Feb 2026 13:40:32 +0000 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/claude-org-wide.yml | 31 ++++++++++++++++--- .github/workflows/claude-react-on-comment.yml | 17 ++++++++-- .github/workflows/lint-workflows.yml | 18 ++++++++--- 3 files changed, 56 insertions(+), 10 deletions(-) diff --git a/.github/workflows/claude-org-wide.yml b/.github/workflows/claude-org-wide.yml index 847b13d..adc1745 100644 --- a/.github/workflows/claude-org-wide.yml +++ b/.github/workflows/claude-org-wide.yml @@ -4,6 +4,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: check-trigger: name: "Check trigger phrase and eligibility" @@ -13,6 +16,11 @@ jobs: outputs: triggered: ${{ steps.check.outputs.triggered }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Check for trigger phrase" id: check env: @@ -33,6 +41,11 @@ jobs: outputs: repos: ${{ steps.list.outputs.repos }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "List all public repositories in the organization" id: list env: @@ -66,6 +79,11 @@ jobs: - repo: phpstan/vim-phpstan - repo: phpstan/.github steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Get default branch of target repository" id: default-branch env: @@ -75,7 +93,7 @@ jobs: echo "branch=$default_branch" >> "$GITHUB_OUTPUT" - name: "Checkout target repository" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: repository: ${{ matrix.repo }} token: ${{ secrets.PHPSTAN_BOT_TOKEN }} @@ -93,7 +111,7 @@ jobs: echo "${delimiter}" >> "$GITHUB_OUTPUT" - name: "Run Claude Code on repository" - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} claude_args: "--model claude-opus-4-6" @@ -141,7 +159,7 @@ jobs: - name: "Upload PR URL artifact" if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pr-url-${{ steps.repo-name.outputs.sanitized }} path: /tmp/pr-url.txt @@ -154,8 +172,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Download all PR URL artifacts" - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: pattern: pr-url-* path: pr-urls diff --git a/.github/workflows/claude-react-on-comment.yml b/.github/workflows/claude-react-on-comment.yml index 953d6a6..2c497d7 100644 --- a/.github/workflows/claude-react-on-comment.yml +++ b/.github/workflows/claude-react-on-comment.yml @@ -14,6 +14,9 @@ concurrency: group: claude-pr-reactions-${{ github.event.pull_request.number || github.event.issue.number }} cancel-in-progress: false +permissions: + contents: read + jobs: check-trigger: name: "Check trigger phrase" @@ -22,6 +25,11 @@ jobs: outputs: triggered: ${{ steps.check.outputs.triggered }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Check for trigger phrase" id: check env: @@ -45,11 +53,16 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout" - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: "React to feedback" - uses: anthropics/claude-code-action@v1 + uses: anthropics/claude-code-action@35a9e0292d36f1186f5d842b14eb575074e8b450 # v1.0.57 with: claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} trigger_phrase: "@phpstan-bot" diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml index c9e4e5b..8b716a6 100644 --- a/.github/workflows/lint-workflows.yml +++ b/.github/workflows/lint-workflows.yml @@ -11,7 +11,12 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Check workflow files run: | echo "::add-matcher::.github/actionlint-matcher.json" @@ -26,15 +31,20 @@ jobs: security-events: write # Required for codeql-action/upload-sarif to upload SARIF files. timeout-minutes: 10 steps: - - uses: actions/checkout@v6 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run octoscan id: octoscan - uses: synacktiv/action-octoscan@v1 + uses: synacktiv/action-octoscan@6b1cf2343893dfb9e5f75652388bd2dc83f456b0 # v1.0.0 with: filter_triggers: '' - name: Upload SARIF file to GitHub - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: sarif_file: "${{steps.octoscan.outputs.sarif_output}}" category: octoscan