diff --git a/.github/workflows/latest-npm.yml b/.github/workflows/latest-npm.yml index b616158..b66c605 100644 --- a/.github/workflows/latest-npm.yml +++ b/.github/workflows/latest-npm.yml @@ -8,6 +8,12 @@ jobs: outputs: latest: ${{ steps.set-matrix.outputs.requireds }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + iojs.org:443 + nodejs.org:443 - uses: ljharb/actions/node/matrix@main id: set-matrix with: @@ -39,6 +45,14 @@ jobs: - node-version: "0.10" steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 + iojs.org:443 + nodejs.org:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 - uses: ljharb/actions/node/install@main name: 'nvm install-latest-npm' @@ -55,4 +69,8 @@ jobs: needs: [nodes] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + egress-policy: block - run: 'echo tests completed' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 32f279d..62fc960 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,12 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 + nodejs.org:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 - uses: ljharb/actions/node/install@main name: 'nvm install ${{ matrix.node-version }} && npm install' @@ -20,6 +26,14 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + ghcr.io:443 + github.com:443 + pkg-containers.githubusercontent.com:443 + nodejs.org:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 - uses: ljharb/actions/node/install@main name: 'nvm install ${{ matrix.node-version }} && npm install' @@ -32,6 +46,12 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 + nodejs.org:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 - uses: ljharb/actions/node/install@main name: 'nvm install ${{ matrix.node-version }} && npm install' @@ -44,6 +64,10 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 - uses: actions/checkout@v2 - name: check tests filenames run: ./rename_test.sh --check diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index e97e6a9..9f48710 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -11,6 +11,12 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + api.github.com:443 + github.com:443 - uses: actions/checkout@v2 - uses: ljharb/rebase@master env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dfd9969..52c133d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,12 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 - uses: actions/setup-node@v2 with: diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index b92dcd5..427eecb 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -11,6 +11,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + api.github.com:443 - uses: ljharb/require-allow-edits@main env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 7b375a8..aafcb7f 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -26,9 +26,18 @@ jobs: file: nvm-exec # only runs in bash steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + ghcr.io:443 + github.com:443 + pkg-containers.githubusercontent.com:443 - uses: actions/checkout@v2 - name: Install shellcheck run: brew install shellcheck + env: + HOMEBREW_NO_ANALYTICS: 1 - run: "shellcheck --version" - name: Run shellcheck on ${{ matrix.file }} run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }} @@ -39,4 +48,8 @@ jobs: needs: [shellcheck_matrix] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + egress-policy: block - run: 'echo tests completed' diff --git a/.github/workflows/toc.yml b/.github/workflows/toc.yml index 60ed577..6a0fa6d 100644 --- a/.github/workflows/toc.yml +++ b/.github/workflows/toc.yml @@ -11,6 +11,12 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@v1 + with: + allowed-endpoints: + github.com:443 + registry.npmjs.org:443 - uses: actions/checkout@v2 with: # https://github.com/actions/checkout/issues/217#issue-599945005