Skip to content

πŸ”’οΈ Security hardening (Github Actions workflows) #367

πŸ”’οΈ Security hardening (Github Actions workflows)

πŸ”’οΈ Security hardening (Github Actions workflows) #367

# Copyright 2024
#
# Everyone is permitted to copy, distribute, modify, merge, sell, publish,
# sublicense or whatever the fuck they want with this software but at their
# OWN RISK.
# The author has absolutely no fucking clue what the code in this project
# does. It might just fucking work or not, there is no third option.
#
# IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
---
name: πŸ”’οΈ Security hardening (Github Actions workflows)
on:
merge_group: {}
pull_request:
types: [opened, synchronize]
paths: [.github/workflows/**]
permissions: {}
jobs:
ci_harden_security:
name: πŸ”’οΈ Github Action security hardening
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: ⬇️ Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: πŸ“„ Lint Github Actions
run: |
curl -O https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json
echo "::add-matcher::actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint -color
- name: βœ… Ensure SHA pinned actions
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@40e45e738b3cad2729f599d8afc6ed02184e1dbd # v3.0.5