Add runner hardening to all jobs in our workflows

This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic.
cisagov · Sep 13, 2023 · 41cbf1e · 41cbf1e
1 parent 465a5a5
commit 41cbf1e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -164,6 +164,11 @@ jobs:
           - os: ubuntu-20.04
             python-version: "3.6"
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
@@ -209,6 +214,11 @@ jobs:
       - diagnostics
       - test
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
@@ -262,6 +272,11 @@ jobs:
           - os: ubuntu-20.04
             python-version: "3.6"
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
@@ -316,6 +331,11 @@ jobs:
           - os: ubuntu-20.04
             python-version: "3.6"
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -37,6 +37,12 @@ jobs:
         # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
 
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4