[StepSecurity] ci: Harden GitHub Actions (#616)

step-security-bot · web-flow · commit 14d71d33e0f2 · 2024-12-22T01:01:52.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -10,10 +10,18 @@ env:
   CARGO_TERM_COLOR: always
   CARGO_PATCH_CRATES_IO_RSONPATH_LIB_GIT: https://github.com/V0ldek/rsonpath.git
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Force remove rsonpath-lib patch from Cargo.toml
       run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml
@@ -36,7 +44,7 @@ jobs:
           target/
         key: cargo-${{ hashFiles('**/Cargo.toml') }}
     - name: Build all features
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: build
         args: --all-features
@@ -47,6 +55,11 @@ jobs:
     name: Clippy (stable)
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Force remove rsonpath-lib patch from Cargo.toml
       run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml
@@ -69,14 +82,14 @@ jobs:
           target/
         key: cargo-${{ hashFiles('**/Cargo.toml') }}
     - name: Build all features
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: build
         args: --all-features
       env:
         RUSTFLAGS: "--deny warnings"
     - name: Clippy all features
-      uses: actions-rs/clippy-check@v1
+      uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # v1.0.7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         args: --all-features -- --deny warnings
@@ -87,6 +100,11 @@ jobs:
     name: Clippy (nightly)
     runs-on: ubuntu-latest
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Force remove rsonpath-lib patch from Cargo.toml
       run: sed -i '/^\[patch.crates-io\]/d' ./Cargo.toml && sed -i '/^rsonpath-lib = { path = .*$/d' ./Cargo.toml
@@ -109,21 +127,21 @@ jobs:
           target/
         key: cargo-${{ hashFiles('**/Cargo.toml') }}
     - name: Rustup nightly toolchain
-      uses: actions-rs/toolchain@v1
+      uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
       with:
         toolchain: nightly
         components: clippy, rustfmt
         override: true
         default: true
     - name: Build all features
-      uses: actions-rs/cargo@v1
+      uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
       with:
         command: build
         args: --all-features
       env:
         RUSTFLAGS: "--deny warnings"
     - name: Clippy all features
-      uses: actions-rs/clippy-check@v1
+      uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # v1.0.7
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         args: --all-features -- --deny warnings
