chore: Harden GitHub Actions (#6373)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>
2026-02-20 10:09:20 -06:00 · 2025-08-07 04:33:42 -10:00
parent e80fc2ee61
commit f7aea2e706
8 changed files with 49 additions and 13 deletions
--- a/.github/workflows/docker-build-validation.yml
+++ b/.github/workflows/docker-build-validation.yml
@@ -39,14 +39,21 @@ jobs:
          --health-retries 5

    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
      - name: Checkout Repository
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        env:
          GITHUB_SHA: ${{ github.sha }}
        with: