Elgato_dark/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd synced 2026-04-21 17:07:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 22

chore(ci): add Step Security Harden Runner to workflows in audit mode (#27168)

Browse source 
Signed-off-by: Eugene Doudine <eugene.doudine@octopus.com>
This commit is contained in:
dudinea 2026-04-07 06:00:50 +03:00 committed by GitHub
parent 9a05e0e7f3
commit 364bd00647
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
14 changed files with 188 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/workflows/bump-major-version.yaml vendored
View file

@ -4,6 +4,10 @@ on:
permissions: {}
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
prepare-release:
permissions:
@ -12,6 +16,12 @@ jobs:
name: Automatically update major version
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
@ -86,4 +96,4 @@ jobs:
- [ ] Add an upgrade guide to the docs for this version
branch: bump-major-version
branch-suffix: random
signoff: true
signoff: true

10
.github/workflows/cherry-pick-single.yml vendored
View file

@ -25,11 +25,21 @@ on:
CHERRYPICK_APP_PRIVATE_KEY:
required: true
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
cherry-pick:
name: Cherry Pick to ${{ inputs.version_number }}
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Generate a token
id: generate-token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0

12
.github/workflows/cherry-pick.yml vendored
View file

@ -6,6 +6,10 @@ on:
- master
types: ["labeled", "closed"]
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
find-labels:
name: Find Cherry Pick Labels
@ -18,6 +22,12 @@ jobs:
outputs:
labels: ${{ steps.extract-labels.outputs.labels }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Extract cherry-pick labels
id: extract-labels
run: |
@ -50,4 +60,4 @@ jobs:
pr_title: ${{ github.event.pull_request.title }}
secrets:
CHERRYPICK_APP_ID: ${{ vars.CHERRYPICK_APP_ID }}
CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}
CHERRYPICK_APP_PRIVATE_KEY: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }}

57
.github/workflows/ci-build.yaml vendored
View file

@ -15,6 +15,8 @@ env:
# Golang version to use across CI steps
# renovate: datasource=golang-version packageName=golang
GOLANG_VERSION: '1.26.1'
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@ -31,6 +33,11 @@ jobs:
frontend: ${{ steps.filter.outputs.frontend_any_changed }}
docs: ${{ steps.filter.outputs.docs_any_changed }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
id: filter
@ -54,6 +61,11 @@ jobs:
needs:
- changes
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Golang
@ -74,6 +86,11 @@ jobs:
needs:
- changes
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Golang
@ -105,6 +122,11 @@ jobs:
needs:
- changes
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Golang
@ -129,6 +151,11 @@ jobs:
GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Create checkout directory
run: mkdir -p ~/go/src/github.com/argoproj
- name: Checkout code
@ -197,6 +224,11 @@ jobs:
GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Create checkout directory
run: mkdir -p ~/go/src/github.com/argoproj
- name: Checkout code
@ -261,6 +293,11 @@ jobs:
needs:
- changes
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup Golang
@ -318,6 +355,11 @@ jobs:
needs:
- changes
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Setup NodeJS
@ -371,6 +413,11 @@ jobs:
sonar_secret: ${{ secrets.SONAR_TOKEN }}
codecov_secret: ${{ secrets.CODECOV_TOKEN }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
@ -456,6 +503,11 @@ jobs:
GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
with:
@ -578,6 +630,11 @@ jobs:
- changes
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- run: |
result="${{ needs.test-e2e.result }}"
# mark as successful even if skipped

10
.github/workflows/codeql.yml vendored
View file

@ -28,6 +28,10 @@ concurrency:
permissions:
contents: read
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
CodeQL-Build:
permissions:
@ -39,6 +43,12 @@ jobs:
# CodeQL runs on ubuntu-latest and windows-latest
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

10
.github/workflows/image-reuse.yaml vendored
View file

@ -45,6 +45,10 @@ on:
permissions: {}
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
publish:
permissions:
@ -55,6 +59,12 @@ jobs:
outputs:
image-digest: ${{ steps.image.outputs.digest }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:

10
.github/workflows/image.yaml vendored
View file

@ -15,6 +15,10 @@ concurrency:
permissions: {}
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
set-vars:
permissions:
@ -31,6 +35,12 @@ jobs:
ghcr_provenance_image: ${{ steps.image.outputs.ghcr_provenance_image }}
allow_ghcr_publish: ${{ steps.image.outputs.allow_ghcr_publish }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set image tag and names

10
.github/workflows/init-release.yaml vendored
View file

@ -14,6 +14,10 @@ on:
permissions: {}
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
prepare-release:
permissions:
@ -28,6 +32,12 @@ jobs:
IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE || 'argoproj' }}
IMAGE_REPOSITORY: ${{ vars.IMAGE_REPOSITORY || 'argocd' }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:

10
.github/workflows/pr-title-check.yml vendored
View file

@ -6,6 +6,10 @@ on:
permissions: {}
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
# PR updates can happen in quick succession leading to this
# workflow being trigger a number of times. This limits it
# to one run per PR.
@ -21,6 +25,12 @@ jobs:
name: Validate PR Title
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

11
.github/workflows/release.yaml vendored
View file

@ -11,8 +11,10 @@ permissions: {}
env:
# renovate: datasource=golang-version packageName=golang
GOLANG_VERSION: '1.26.1' # Note: go-version must also be set in job argocd-image.with.go-version
GOLANG_VERSION: '1.26.1' # Note: go-version must also be set in job argocd-image.with.go-version
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
argocd-image:
needs: [setup-variables]
@ -47,6 +49,11 @@ jobs:
provenance_image: ${{ steps.var.outputs.provenance_image }}
allow_fork_release: ${{ steps.var.outputs.allow_fork_release }}
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:

10
.github/workflows/renovate.yaml vendored
View file

@ -7,11 +7,21 @@ on:
permissions:
contents: read
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
renovate:
runs-on: ubuntu-24.04
if: github.repository == 'argoproj/argo-cd'
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Get token
id: get_token
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3

10
.github/workflows/scorecard.yaml vendored
View file

@ -14,6 +14,10 @@ concurrency:
# Declare default permissions as read only.
permissions: read-all
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
analysis:
name: Scorecards analysis
@ -29,6 +33,12 @@ jobs:
if: github.repository == 'argoproj/argo-cd'
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:

10
.github/workflows/stale.yaml vendored
View file

@ -8,10 +8,20 @@ permissions:
issues: write
pull-requests: write
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
stale:
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}

10
.github/workflows/update-snyk.yaml vendored
View file

@ -7,6 +7,10 @@ on:
permissions:
contents: read
env:
# a workaround to disable harden runner
STEP_SECURITY_HARDEN_RUNNER: ${{ vars.disable_harden_runner }}
jobs:
snyk-report:
permissions:
@ -16,6 +20,12 @@ jobs:
name: Update Snyk report in the docs directory
runs-on: ubuntu-24.04
steps:
- name: Harden the runner (Audit all outbound calls)
if: ${{ vars.disable_harden_runner != 'true' }}
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
agent-enabled: "false"
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: