From 3634c52d0559c9e7366bcd130d8f840ac0ba5892 Mon Sep 17 00:00:00 2001
From: "stepsecurity-app[bot]"
 <188008098+stepsecurity-app[bot]@users.noreply.github.com>
Date: Sat, 5 Apr 2025 07:15:49 +0000
Subject: [PATCH] [StepSecurity] Apply security best practicesSigned-off-by:
 StepSecurity Bot <bot@stepsecurity.io>. J:DEF-2843

---
 .github/workflows/backport.yml | 12 ++++++++-
 .github/workflows/ci.yml       | 48 +++++++++++++++++++++++++++-------
 .github/workflows/tag.yml      |  7 ++++-
 3 files changed, 55 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index ea4e9308..b09339ed 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -4,9 +4,14 @@ on:
     branches:
     - main
 
+permissions:
+  contents: read
+
 jobs:
 
   backport:
+    permissions:
+      contents: write  # for Git to git push
     name: Backport change to branch ${{ matrix.branch }}
     continue-on-error: true
     strategy:
@@ -17,8 +22,13 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
       with:
         fetch-depth: 0
     - name: Create a cherry-pick PR
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 596285e0..1a1d35f2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
     - release-*
     - v*
 
+permissions:
+  contents: read
+
 jobs:
 
   build-static:
@@ -19,13 +22,18 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
       with:
         go-version: ${{ matrix.go }}
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
     - name: Build
       run: |
         git submodule update --init
@@ -42,13 +50,18 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
       with:
         go-version: '1.17'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
     - name: Build
       run: |
         git submodule update --init
@@ -68,13 +81,18 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
       with:
         go-version: '1.17'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
     - name: Build libgit2 ${{ matrix.libgit2 }}
       run: |
         git submodule update --init
@@ -91,13 +109,18 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
       with:
         go-version: '1.17'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
     - name: Build libgit2
       run: |
         git submodule update --init
@@ -110,13 +133,18 @@ jobs:
     name: Check generated files were not modified
     runs-on: ubuntu-20.04
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Set up Go
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@0caeaed6fd66a828038c2da3c0f662a42862658f # v1.1.3
       with:
         go-version: '1.17'
       id: go
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
     - name: Install libgit2 build dependencies
       run: |
         git submodule update --init
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
index d9395282..f239c404 100644
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@@ -13,8 +13,13 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
+      with:
+        egress-policy: audit
+
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
       with:
         fetch-depth: 0
     - name: Bump version and push tag