From 44ff858aae4bfbe151690c63248478a20711830c Mon Sep 17 00:00:00 2001 From: Maria Zhelezova Date: Tue, 7 Jan 2025 13:08:27 +0100 Subject: [PATCH 1/3] Add Harden Runner step to various workflows --- .github/workflows/CreateBuildTag.yaml | 5 +++++ .github/workflows/PowerShell.yaml | 10 ++++++++++ .github/workflows/UpdateALGoOnOfficialBranches.yaml | 10 ++++++++++ .github/workflows/UpdateBCArtifactVersion.yaml | 12 +++++++++++- .github/workflows/UpdatePackageVersions.yaml | 10 ++++++++++ .github/workflows/VerifyAppChanges.yaml | 5 +++++ .github/workflows/WorkitemValidation.yaml | 10 ++++++++++ .github/workflows/scorecard-analysis.yml | 5 +++++ 8 files changed, 66 insertions(+), 1 deletion(-) diff --git a/.github/workflows/CreateBuildTag.yaml b/.github/workflows/CreateBuildTag.yaml index 692fa9f34a..0fe76cf829 100644 --- a/.github/workflows/CreateBuildTag.yaml +++ b/.github/workflows/CreateBuildTag.yaml @@ -17,6 +17,11 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/PowerShell.yaml b/.github/workflows/PowerShell.yaml index 7693e3f9f2..8248834d78 100644 --- a/.github/workflows/PowerShell.yaml +++ b/.github/workflows/PowerShell.yaml @@ -21,6 +21,11 @@ jobs: permissions: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run PSScriptAnalyzer @@ -41,6 +46,11 @@ jobs: name: Run PS Tests runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run PS Tests diff --git a/.github/workflows/UpdateALGoOnOfficialBranches.yaml b/.github/workflows/UpdateALGoOnOfficialBranches.yaml index 824bd68847..10dcf3de55 100644 --- a/.github/workflows/UpdateALGoOnOfficialBranches.yaml +++ b/.github/workflows/UpdateALGoOnOfficialBranches.yaml @@ -15,6 +15,11 @@ jobs: outputs: updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Get Official Branches id: getOfficialBranches uses: microsoft/BCApps/.github/actions/GetGitBranches@main @@ -32,6 +37,11 @@ jobs: branch: ${{ fromJson(needs.GetBranches.outputs.updateBranches) }} fail-fast: false steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Update AL-Go System Files env: GH_TOKEN: ${{ secrets.GHTOKENWORKFLOW }} diff --git a/.github/workflows/UpdateBCArtifactVersion.yaml b/.github/workflows/UpdateBCArtifactVersion.yaml index c1ce563681..0ffb12e6ad 100644 --- a/.github/workflows/UpdateBCArtifactVersion.yaml +++ b/.github/workflows/UpdateBCArtifactVersion.yaml @@ -19,6 +19,11 @@ jobs: outputs: updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Get Official Branches id: getOfficialBranches uses: microsoft/BCApps/.github/actions/GetGitBranches@main @@ -39,8 +44,13 @@ jobs: branch: ${{ fromJson(needs.GetBranches.outputs.updateBranches) }} fail-fast: false steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ matrix.branch }} diff --git a/.github/workflows/UpdatePackageVersions.yaml b/.github/workflows/UpdatePackageVersions.yaml index 11836708fa..bc0048bfb4 100644 --- a/.github/workflows/UpdatePackageVersions.yaml +++ b/.github/workflows/UpdatePackageVersions.yaml @@ -19,6 +19,11 @@ jobs: outputs: updateBranches: ${{ steps.getOfficialBranches.outputs.branchesJson }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Get Official Branches id: getOfficialBranches uses: microsoft/BCApps/.github/actions/GetGitBranches@main @@ -38,6 +43,11 @@ jobs: branch: ${{ fromJson(needs.GetBranches.outputs.updateBranches) }} fail-fast: false steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/VerifyAppChanges.yaml b/.github/workflows/VerifyAppChanges.yaml index c252ea95db..5c01385ffb 100644 --- a/.github/workflows/VerifyAppChanges.yaml +++ b/.github/workflows/VerifyAppChanges.yaml @@ -13,6 +13,11 @@ jobs: runs-on: windows-latest name: Verify App Changes steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/WorkitemValidation.yaml b/.github/workflows/WorkitemValidation.yaml index 6b4265f850..296d27b980 100644 --- a/.github/workflows/WorkitemValidation.yaml +++ b/.github/workflows/WorkitemValidation.yaml @@ -19,6 +19,11 @@ jobs: name: 'Validate link to issues' runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -34,6 +39,11 @@ jobs: runs-on: ubuntu-latest needs: GitHubIssueValidation steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 3ca2b145b2..b8a8a052f1 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -17,6 +17,11 @@ jobs: id-token: write # Needed for GitHub OIDC token if publish_results is true steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From d860436a92358fce9603f4a967ba158f436dc8e3 Mon Sep 17 00:00:00 2001 From: Maria Zhelezova Date: Thu, 9 Jan 2025 10:34:13 +0100 Subject: [PATCH 2/3] Remove Harden Runner step from jobs that run on windows-latest --- .github/workflows/PowerShell.yaml | 5 ----- .github/workflows/UpdateBCArtifactVersion.yaml | 5 ----- .github/workflows/UpdatePackageVersions.yaml | 5 ----- .github/workflows/VerifyAppChanges.yaml | 5 ----- 4 files changed, 20 deletions(-) diff --git a/.github/workflows/PowerShell.yaml b/.github/workflows/PowerShell.yaml index 8248834d78..8bae7d2b53 100644 --- a/.github/workflows/PowerShell.yaml +++ b/.github/workflows/PowerShell.yaml @@ -46,11 +46,6 @@ jobs: name: Run PS Tests runs-on: windows-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run PS Tests diff --git a/.github/workflows/UpdateBCArtifactVersion.yaml b/.github/workflows/UpdateBCArtifactVersion.yaml index 0ffb12e6ad..db5af2e656 100644 --- a/.github/workflows/UpdateBCArtifactVersion.yaml +++ b/.github/workflows/UpdateBCArtifactVersion.yaml @@ -44,11 +44,6 @@ jobs: branch: ${{ fromJson(needs.GetBranches.outputs.updateBranches) }} fail-fast: false steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/UpdatePackageVersions.yaml b/.github/workflows/UpdatePackageVersions.yaml index bc0048bfb4..f57a05e6e1 100644 --- a/.github/workflows/UpdatePackageVersions.yaml +++ b/.github/workflows/UpdatePackageVersions.yaml @@ -43,11 +43,6 @@ jobs: branch: ${{ fromJson(needs.GetBranches.outputs.updateBranches) }} fail-fast: false steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/VerifyAppChanges.yaml b/.github/workflows/VerifyAppChanges.yaml index 5c01385ffb..c252ea95db 100644 --- a/.github/workflows/VerifyAppChanges.yaml +++ b/.github/workflows/VerifyAppChanges.yaml @@ -13,11 +13,6 @@ jobs: runs-on: windows-latest name: Verify App Changes steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From b31db2391fee2dbc6c233696ce57cefa3a1194c1 Mon Sep 17 00:00:00 2001 From: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com> Date: Thu, 9 Jan 2025 23:29:53 +0100 Subject: [PATCH 3/3] Remove Harden Runner step from workflow --- .github/workflows/CreateBuildTag.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/CreateBuildTag.yaml b/.github/workflows/CreateBuildTag.yaml index 0fe76cf829..692fa9f34a 100644 --- a/.github/workflows/CreateBuildTag.yaml +++ b/.github/workflows/CreateBuildTag.yaml @@ -17,11 +17,6 @@ jobs: permissions: contents: write steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2