diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 99bb451ff8..2de6b1d13d 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -6,6 +6,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: chromatic: name: Run Chromatic diff --git a/.github/workflows/deploy-formbricks-cloud.yml b/.github/workflows/deploy-formbricks-cloud.yml index 096cee1bba..a43f6e4501 100644 --- a/.github/workflows/deploy-formbricks-cloud.yml +++ b/.github/workflows/deploy-formbricks-cloud.yml @@ -43,11 +43,16 @@ jobs: helmfile-deploy: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Tailscale - uses: tailscale/github-action@v3 + uses: tailscale/github-action@84a3f23bb4d843bcf4da6cf824ec1be473daf4de # v3.2.3 with: oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} @@ -66,7 +71,7 @@ jobs: env: AWS_REGION: eu-central-1 - - uses: helmfile/helmfile-action@v2 + - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4 name: Deploy Formbricks Cloud Production if: inputs.ENVIRONMENT == 'production' env: @@ -84,7 +89,7 @@ jobs: helmfile-auto-init: "false" helmfile-workdirectory: infra/formbricks-cloud-helm - - uses: helmfile/helmfile-action@v2 + - uses: helmfile/helmfile-action@712000e3d4e28c72778ecc53857746082f555ef3 # v2.0.4 name: Deploy Formbricks Cloud Staging if: inputs.ENVIRONMENT == 'staging' env: diff --git a/.github/workflows/docker-build-validation.yml b/.github/workflows/docker-build-validation.yml index 5432bca79a..b8085f6f0e 100644 --- a/.github/workflows/docker-build-validation.yml +++ b/.github/workflows/docker-build-validation.yml @@ -39,14 +39,19 @@ jobs: --health-retries 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout Repository - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Docker Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 env: GITHUB_SHA: ${{ github.sha }} with: diff --git a/.github/workflows/formbricks-release.yml b/.github/workflows/formbricks-release.yml index 2938f553b0..73f49787bf 100644 --- a/.github/workflows/formbricks-release.yml +++ b/.github/workflows/formbricks-release.yml @@ -47,8 +47,13 @@ jobs: - docker-build - deploy-formbricks-cloud steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.github/workflows/release-docker-github-experimental.yml b/.github/workflows/release-docker-github-experimental.yml index c3c5eb831b..c2075da141 100644 --- a/.github/workflows/release-docker-github-experimental.yml +++ b/.github/workflows/release-docker-github-experimental.yml @@ -172,8 +172,13 @@ jobs: needs: - build steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 diff --git a/.github/workflows/release-docker-github.yml b/.github/workflows/release-docker-github.yml index f3e9f2c56f..bf5593ba60 100644 --- a/.github/workflows/release-docker-github.yml +++ b/.github/workflows/release-docker-github.yml @@ -26,6 +26,9 @@ env: TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }} TURBO_TEAM: ${{ secrets.TURBO_TEAM }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/terraform-plan-and-apply.yml b/.github/workflows/terraform-plan-and-apply.yml index e9f047d0bf..2fb1c5aaab 100644 --- a/.github/workflows/terraform-plan-and-apply.yml +++ b/.github/workflows/terraform-plan-and-apply.yml @@ -14,6 +14,9 @@ on: paths: - "infra/terraform/**" +permissions: + contents: read + jobs: terraform: runs-on: ubuntu-latest @@ -33,7 +36,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Tailscale - uses: tailscale/github-action@v3 + uses: tailscale/github-action@84a3f23bb4d843bcf4da6cf824ec1be473daf4de # v3.2.3 with: oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} diff --git a/.github/workflows/upload-sentry-sourcemaps.yml b/.github/workflows/upload-sentry-sourcemaps.yml index 62bd1aff9f..4e413a24ba 100644 --- a/.github/workflows/upload-sentry-sourcemaps.yml +++ b/.github/workflows/upload-sentry-sourcemaps.yml @@ -25,8 +25,13 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4.2.2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0