diff --git a/.github/workflows/bump-major-version.yaml b/.github/workflows/bump-major-version.yaml index 08739ff045..8e5a2e5ce2 100644 --- a/.github/workflows/bump-major-version.yaml +++ b/.github/workflows/bump-major-version.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/cherry-pick-single.yml b/.github/workflows/cherry-pick-single.yml index c11f6abd1f..1b33afda5f 100644 --- a/.github/workflows/cherry-pick-single.yml +++ b/.github/workflows/cherry-pick-single.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index fa11e21a78..8d481c93b2 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 1220218fc6..c93cf3b56b 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -35,7 +35,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -63,7 +63,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -88,7 +88,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -124,7 +124,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -153,7 +153,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Create checkout directory @@ -226,7 +226,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Create checkout directory @@ -295,7 +295,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -357,7 +357,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -415,7 +415,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code @@ -496,7 +496,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Free Disk Space (Ubuntu) @@ -632,7 +632,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4357e817bb..4da2f30899 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -45,7 +45,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index 5b10295eb7..d35039e640 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -61,7 +61,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index e1d15dba09..21bb310190 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -37,7 +37,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/init-release.yaml b/.github/workflows/init-release.yaml index 706704215c..79b2e112f2 100644 --- a/.github/workflows/init-release.yaml +++ b/.github/workflows/init-release.yaml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml index 0a8f1c9053..627add5832 100644 --- a/.github/workflows/pr-title-check.yml +++ b/.github/workflows/pr-title-check.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 037da76d78..4acd04cbe1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -51,7 +51,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit - name: Checkout code diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 953d88203c..64daff5150 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Block unknown outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: block disable-sudo-and-containers: "false" # renovatebot runs in `docker run` diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 33e526ed01..6e6a4ec41b 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 0e7cfdf37d..f783664f1d 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Block unknown outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: block disable-sudo-and-containers: "true" diff --git a/.github/workflows/update-snyk.yaml b/.github/workflows/update-snyk.yaml index 9c5576b55a..0dd8902870 100644 --- a/.github/workflows/update-snyk.yaml +++ b/.github/workflows/update-snyk.yaml @@ -22,7 +22,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 + uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 with: egress-policy: audit agent-enabled: "false"