diff --git a/.github/workflows/POC-detections-gh-hosted.yml b/.github/workflows/POC-detections-gh-hosted.yml index 0f7aa68f..e921ba39 100644 --- a/.github/workflows/POC-detections-gh-hosted.yml +++ b/.github/workflows/POC-detections-gh-hosted.yml @@ -20,12 +20,12 @@ jobs: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Execute tj-action run: | @@ -94,11 +94,11 @@ jobs: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Generate a registration token for attacker repo run: | response=$(curl -X POST -H "Authorization: token github_pat_dummy_token" \ @@ -108,7 +108,7 @@ jobs: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -119,7 +119,7 @@ jobs: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit @@ -131,11 +131,11 @@ jobs: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Decode and print private key env: @@ -154,17 +154,17 @@ jobs: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v3 - - uses: step-security/dummy-imposter-commit-action@v1 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: step-security/dummy-imposter-commit-action@891dbcd4d1bf6c2ac2a7b9d8d6656583f3b5cc9a # v1 unauthorized-outbound-call: if: ${{ github.event.inputs.run_only_anomalous != 'true' }} runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: block allowed-endpoints: > @@ -172,7 +172,7 @@ jobs: goreleaser.com:443 www.google.com:443 - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: | @@ -213,12 +213,12 @@ jobs: # echo "All 100 baseline runs triggered!" runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: |