diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 11c0ad0ef..3f448fe64 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -13,18 +13,23 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }} - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.12" cache: "pip" diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml index 9e933350f..2d1de706a 100644 --- a/.github/workflows/installer.yml +++ b/.github/workflows/installer.yml @@ -25,8 +25,13 @@ jobs: - ubuntu-latest - macos-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Set up git repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install zsh if: runner.os == 'Linux' run: sudo apt-get update; sudo apt-get install zsh @@ -41,8 +46,13 @@ jobs: needs: - test steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install Vercel CLI run: npm install -g vercel - name: Setup project and deploy diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c49324495..b48a3d32b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,13 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Set up git repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Install zsh run: sudo apt-get update; sudo apt-get install zsh - name: Check syntax diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index 8fd4e15d4..ba971db15 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -16,9 +16,14 @@ jobs: runs-on: ubuntu-latest if: github.repository == 'ohmyzsh/ohmyzsh' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Authenticate as @ohmyzsh id: generate-token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 with: app-id: ${{ secrets.OHMYZSH_APP_ID }} private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}