[StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-01-23 02:35:38 +01:00 · 2025-09-19 15:26:57 +00:00 · 2025-09-19 15:26:57 +00:00 · b8eb76a946
commit b8eb76a946
parent c87eb79140
4 changed files with 32 additions and 7 deletions
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@ -13,18 +13,23 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'ohmyzsh/ohmyzsh'
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Authenticate as @ohmyzsh
        id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.OHMYZSH_APP_ID }}
          private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
      - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: "3.12"
          cache: "pip"
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@ -25,8 +25,13 @@ jobs:
          - ubuntu-latest
          - macos-latest
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Set up git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Install zsh
        if: runner.os == 'Linux'
        run: sudo apt-get update; sudo apt-get install zsh
@ -41,8 +46,13 @@ jobs:
    needs:
      - test
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Install Vercel CLI
        run: npm install -g vercel
      - name: Setup project and deploy
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -23,8 +23,13 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'ohmyzsh/ohmyzsh'
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Set up git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Install zsh
        run: sudo apt-get update; sudo apt-get install zsh
      - name: Check syntax
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@ -16,9 +16,14 @@ jobs:
    runs-on: ubuntu-latest
    if: github.repository == 'ohmyzsh/ohmyzsh'
    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
      - name: Authenticate as @ohmyzsh
        id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
        with:
          app-id: ${{ secrets.OHMYZSH_APP_ID }}
          private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}