Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[StepSecurity] Apply security best practices (#4684)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
StepSecurity Bot 1 year ago
parent
1b8d9344bc
commit
5181d036fa
4 changed files with 43 additions and 0 deletions
Split View Show Diff Stats
  1. 27 0
      .github/workflows/dependency-review.yml
  2. 5 0
      .github/workflows/helm.yml
  3. 3 0
      .github/workflows/publish.yml
  4. 8 0
      .github/workflows/release.yml

+ 27 - 0
.github/workflows/dependency-review.yml
View File 

@@ -0,0 +1,27 @@
 
+# Dependency Review Action
 
+#
 
+# This Action will scan dependency manifest files that change as part of a Pull Request,
 
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
 
+# Once installed, if the workflow run is marked as required,
 
+# PRs introducing known-vulnerable packages will be blocked from merging.
 
+#
 
+# Source repository: https://github.com/actions/dependency-review-action
 
+name: 'Dependency Review'
 
+on: [pull_request]
 
+
 
+permissions:
 
+  contents: read
 
+
 
+jobs:
 
+  dependency-review:
 
+    runs-on: ubuntu-latest
 
+    steps:
 
+      - name: Harden the runner (Audit all outbound calls)
 
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
 
+        with:
 
+          egress-policy: audit
 
+
 
+      - name: 'Checkout Repository'
 
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
+      - name: 'Dependency Review'
 
+        uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4

+ 5 - 0
.github/workflows/helm.yml
View File 

@@ -81,6 +81,11 @@ jobs:
 
       github.ref == 'refs/heads/main' ||
 
       startsWith(github.ref, 'refs/heads/release-')
 
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
 
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
 
+        with:
 
+          egress-policy: audit
 
+
 
       - name: Checkout
 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
         with:

+ 3 - 0
.github/workflows/publish.yml
View File 

@@ -44,6 +44,9 @@ env:
 
   DOCKERFILE: ${{ inputs.dockerfile }}
 
   IS_FORK: ${{ secrets.IS_FORK }}
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   build-publish:
 
     name: Build and Publish

+ 8 - 0
.github/workflows/release.yml
View File 

@@ -15,6 +15,9 @@ on:
 
 env:
 
   IMAGE_NAME: ghcr.io/${{ github.repository }}
 
 
+permissions:
 
+  contents: read
 
+
 
 jobs:
 
   release:
 
     name: Create Release
 
@@ -22,6 +25,11 @@ jobs:
 
     permissions:
 
       contents: write # to create a release and push new docs
 
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
 
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
 
+        with:
 
+          egress-policy: audit
 
+
 
       - name: Checkout
 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
         with: