diff --git a/.github/workflows/bump-major-version.yaml b/.github/workflows/bump-major-version.yaml index 393b1b5737bfc..7889be4da4d91 100644 --- a/.github/workflows/bump-major-version.yaml +++ b/.github/workflows/bump-major-version.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/cherry-pick-single.yml b/.github/workflows/cherry-pick-single.yml index f6987e1ebd4a1..c26231521a3af 100644 --- a/.github/workflows/cherry-pick-single.yml +++ b/.github/workflows/cherry-pick-single.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index 88a24966b1040..86716790a1792 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 5b0b0797f592d..db6aea67e9d76 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -35,7 +35,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -63,7 +63,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -88,7 +88,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -124,7 +124,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -153,7 +153,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Create checkout directory @@ -226,7 +226,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Create checkout directory @@ -295,7 +295,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -357,7 +357,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -415,7 +415,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code @@ -496,7 +496,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Free Disk Space (Ubuntu) @@ -632,7 +632,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 35c2f6c43b4c9..4642bfa761412 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -45,7 +45,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index 9ddfd24fe5185..1e3453700ffab 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -61,7 +61,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index 64259e9ef8c47..8d2e6b4a334d2 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -37,7 +37,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/init-release.yaml b/.github/workflows/init-release.yaml index d570e31db1dca..de9fcac3778ba 100644 --- a/.github/workflows/init-release.yaml +++ b/.github/workflows/init-release.yaml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml index 57e3eef0306a0..1db331105a74f 100644 --- a/.github/workflows/pr-title-check.yml +++ b/.github/workflows/pr-title-check.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3f58da999bbda..d6470a560aeb8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -51,7 +51,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout code diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 72dc96601c60a..89da53fc573af 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Block unknown outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block disable-sudo-and-containers: "false" # renovatebot runs in `docker run` diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index e4bd116a41c46..c6cf2705b8d92 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -31,7 +31,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index de9a83bb286f5..f228134a72ed1 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -18,7 +18,7 @@ jobs: steps: - name: Harden the runner (Block unknown outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block disable-sudo-and-containers: "true" diff --git a/.github/workflows/update-snyk.yaml b/.github/workflows/update-snyk.yaml index 7d07b2a3ed270..78d3abbdcd931 100644 --- a/.github/workflows/update-snyk.yaml +++ b/.github/workflows/update-snyk.yaml @@ -21,7 +21,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block # The entries are grouped according to their platforms @@ -76,7 +76,7 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) if: ${{ vars.disable_harden_runner != 'true' }} - uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: block allowed-endpoints: >