diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e1dd48c..5869c9b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,9 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: + contents: read + jobs: version: name: Release @@ -17,8 +20,13 @@ jobs: pull-requests: write id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: submodules: recursive @@ -35,7 +43,7 @@ jobs: # https://github.com/changesets/action#with-publishing - name: Handle Release Pull Request or Publish to npm id: changesets - uses: changesets/action@v1 + uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 with: title: "chore: version packages 🔖" commit: "chore: version packages 🔖" diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 88c7b61..b9a5414 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -14,16 +14,21 @@ jobs: timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1 with: version: 8 - name: Set up node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: cache: pnpm node-version: 18 @@ -40,16 +45,21 @@ jobs: timeout-minutes: 5 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1 with: version: 8 - name: Set up node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: cache: pnpm node-version: 18 @@ -66,19 +76,24 @@ jobs: environment: verify steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 + with: + egress-policy: audit + - name: Set up foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de # v1.4.0 - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up pnpm - uses: pnpm/action-setup@v2 + uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1 with: version: 8 - name: Set up node - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: cache: pnpm node-version: 18 @@ -93,7 +108,7 @@ jobs: - name: 'Report Coverage' if: always() # Also generate the report if tests are failing - uses: davelosert/vitest-coverage-report-action@v2 + uses: davelosert/vitest-coverage-report-action@8ab049ff5a2c6e78f78af446329379b318544a1a # v2.8.3 with: name: "op-viem" working-directory: "."