Add runner hardening to all jobs in our workflows

This aligns with what was done to the `lint` job of the build.yml workflow that was inherited from cisagov/skeleton-generic.
cisagov · Sep 13, 2023 · f02cde7 · f02cde7
1 parent 7eefae0
commit f02cde7
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -215,6 +215,11 @@ jobs:
       tags: ${{ steps.prep.outputs.tags }}
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Gather repository metadata
         id: repo
@@ -275,6 +280,11 @@ jobs:
       - prepare
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checkout
         uses: actions/checkout@v4
       - name: Set up QEMU
@@ -347,6 +357,11 @@ jobs:
       - build
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - id: setup-python
         uses: actions/setup-python@v4
@@ -402,6 +417,11 @@ jobs:
       packages: write
     runs-on: ubuntu-latest
     steps:
+      - id: harden-runner
+        name: Harden the runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with: