diff --git a/.github/workflows/lf-build-linux-aarch64.yml b/.github/workflows/lf-build-linux-aarch64.yml index 2edcaa20f..abf180570 100644 --- a/.github/workflows/lf-build-linux-aarch64.yml +++ b/.github/workflows/lf-build-linux-aarch64.yml @@ -33,6 +33,11 @@ jobs: steps: # Transform the spaceā€separated string into a valid JSON array using shell commands (with sed), # then pass that result as an output to be used in the matrix of a subsequent job. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - id: set-matrix run: | # Grab the space-separated input value @@ -141,8 +146,13 @@ jobs: - 'ubuntu-24.04-arm' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: 'Download all artifacts' - uses: 'actions/download-artifact@v4' + uses: 'actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8' with: path: '/tmp/artifacts' diff --git a/.github/workflows/lf-build-linux-x86_64.yml b/.github/workflows/lf-build-linux-x86_64.yml index 32fcd54db..2720412e9 100644 --- a/.github/workflows/lf-build-linux-x86_64.yml +++ b/.github/workflows/lf-build-linux-x86_64.yml @@ -33,6 +33,11 @@ jobs: steps: # Transform the spaceā€separated string into a valid JSON array using shell commands (with sed), # then pass that result as an output to be used in the matrix of a subsequent job. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - id: set-matrix run: | # Grab the space-separated input value @@ -141,8 +146,13 @@ jobs: - 'ubuntu-24.04' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 + with: + egress-policy: audit + - name: 'Download all artifacts' - uses: 'actions/download-artifact@v4' + uses: 'actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8' with: path: '/tmp/artifacts' diff --git a/.github/workflows/lf-build-windows-x86_64.yml b/.github/workflows/lf-build-windows-x86_64.yml index 94386d9e8..dca08dd60 100644 --- a/.github/workflows/lf-build-windows-x86_64.yml +++ b/.github/workflows/lf-build-windows-x86_64.yml @@ -105,7 +105,7 @@ jobs: name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-compiled.${{ env.LFMP_ARCH }}" - name: 'Sign the compiled plugins' - uses: 'signpath/github-action-submit-signing-request@v1.1' + uses: 'signpath/github-action-submit-signing-request@3c306158facd969ebdb385c6845dee38afc2ebf9 # v1.1' with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '35067665-5434-42c5-9fa2-4c750069f161' @@ -154,7 +154,7 @@ jobs: name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-packaged.${{ env.LFMP_ARCH }}" - name: 'Sign the package' - uses: 'signpath/github-action-submit-signing-request@v1.1' + uses: 'signpath/github-action-submit-signing-request@3c306158facd969ebdb385c6845dee38afc2ebf9 # v1.1' with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '35067665-5434-42c5-9fa2-4c750069f161'