diff --git a/.github/workflows/AddLabel.yaml b/.github/workflows/AddLabel.yaml index 0d1808950c1..07c78650c32 100644 --- a/.github/workflows/AddLabel.yaml +++ b/.github/workflows/AddLabel.yaml @@ -31,6 +31,11 @@ jobs: needs: solutionPublisherDetail if: ${{ github.actor != 'dependabot[bot]' && needs.solutionPublisherDetail.outputs.solutionPublisherId != '' && !contains(fromJson(vars.INTERNAL_PUBLISHERS),needs.solutionPublisherDetail.outputs.solutionPublisherId) }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/IssueComment.yml b/.github/workflows/IssueComment.yml index 2ca3a61de60..36a3ccfd90d 100644 --- a/.github/workflows/IssueComment.yml +++ b/.github/workflows/IssueComment.yml @@ -14,6 +14,11 @@ jobs: permissions: issues: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/ScanSecrets.yaml b/.github/workflows/ScanSecrets.yaml index 9be18941871..b576cf3f253 100644 --- a/.github/workflows/ScanSecrets.yaml +++ b/.github/workflows/ScanSecrets.yaml @@ -7,6 +7,11 @@ jobs: Scan_Secrets_in_commit: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@v4 with: diff --git a/.github/workflows/addComment.yaml b/.github/workflows/addComment.yaml index d0cbcd76288..78e3533b3f2 100644 --- a/.github/workflows/addComment.yaml +++ b/.github/workflows/addComment.yaml @@ -18,6 +18,11 @@ jobs: comment: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/addCommentOnPackagedPR.yaml b/.github/workflows/addCommentOnPackagedPR.yaml index 7545e29d3d7..5288608cb6c 100644 --- a/.github/workflows/addCommentOnPackagedPR.yaml +++ b/.github/workflows/addCommentOnPackagedPR.yaml @@ -16,6 +16,11 @@ jobs: pull-requests: write contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/github-script@29423367f079522048aa7c63f671593b0556ffd5 id: addComment with: diff --git a/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml b/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml index 9e77e0b9a52..26f9861bbae 100644 --- a/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml +++ b/.github/workflows/addCommentToRemindUpdatingTemplateVersion.yml @@ -13,6 +13,11 @@ jobs: outputs: hasAutoDetectionComment: ${{ steps.job1.outputs.hasAutoDetectionComment }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Find Comment uses: peter-evans/find-comment@v3 id: fc diff --git a/.github/workflows/addLabelOnPr.yaml b/.github/workflows/addLabelOnPr.yaml index f6edd510a5f..fbd14b2bc09 100644 --- a/.github/workflows/addLabelOnPr.yaml +++ b/.github/workflows/addLabelOnPr.yaml @@ -16,6 +16,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/allowedWorkflowRun.yaml b/.github/workflows/allowedWorkflowRun.yaml index 1269f96dd68..184f180c7fc 100644 --- a/.github/workflows/allowedWorkflowRun.yaml +++ b/.github/workflows/allowedWorkflowRun.yaml @@ -18,6 +18,11 @@ jobs: outputs: isWorkflowRunAllowed: ${{ steps.getWorkflowRunAllowedStatus.outputs.isWorkflowRunAllowed }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Is Current User Allowed shell: pwsh id: getWorkflowRunAllowedStatus diff --git a/.github/workflows/arm-ttk-validations.yaml b/.github/workflows/arm-ttk-validations.yaml index f56506a2018..66b9acf67e4 100644 --- a/.github/workflows/arm-ttk-validations.yaml +++ b/.github/workflows/arm-ttk-validations.yaml @@ -18,6 +18,11 @@ jobs: mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }} createUiChanged: ${{ steps.step1.outputs.createUiChanged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 10 diff --git a/.github/workflows/checkAutomatedPR.yaml b/.github/workflows/checkAutomatedPR.yaml index f7ce6468991..df35e2efd4d 100644 --- a/.github/workflows/checkAutomatedPR.yaml +++ b/.github/workflows/checkAutomatedPR.yaml @@ -16,6 +16,11 @@ jobs: outputs: isAutomatedPR: ${{ steps.ValidateAutomatedPR.outputs.isAutomatedPR }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - shell: pwsh id: ValidateAutomatedPR run: | diff --git a/.github/workflows/checkPRContentChange.yaml b/.github/workflows/checkPRContentChange.yaml index 307fab2b3a6..9714e7895e4 100644 --- a/.github/workflows/checkPRContentChange.yaml +++ b/.github/workflows/checkPRContentChange.yaml @@ -26,6 +26,11 @@ jobs: outputs: hasContentPackageChange: ${{ steps.changesInPR.outputs.hasContentPackageChange }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/checkSkipPackagingInfo.yaml b/.github/workflows/checkSkipPackagingInfo.yaml index 411e208e2f2..e7e13a1b7a3 100644 --- a/.github/workflows/checkSkipPackagingInfo.yaml +++ b/.github/workflows/checkSkipPackagingInfo.yaml @@ -22,6 +22,11 @@ jobs: outputs: isPackagingRequired: ${{ steps.getPackagingSkipStatus.outputs.isPackagingRequired }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 18858f8dc00..caaf1464d26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,6 +37,11 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/content-validations.yaml b/.github/workflows/content-validations.yaml index 0e2dec37585..12745d2fa4e 100644 --- a/.github/workflows/content-validations.yaml +++ b/.github/workflows/content-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml index 0aa38dbf804..bffa7a816f4 100644 --- a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml +++ b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml @@ -27,6 +27,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/data-connector-validations.yaml b/.github/workflows/data-connector-validations.yaml index 8134e93b06b..ce5f9598512 100644 --- a/.github/workflows/data-connector-validations.yaml +++ b/.github/workflows/data-connector-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/detection-template-schema-validations.yaml b/.github/workflows/detection-template-schema-validations.yaml index 78591e45237..ad22d6a3f6c 100644 --- a/.github/workflows/detection-template-schema-validations.yaml +++ b/.github/workflows/detection-template-schema-validations.yaml @@ -14,6 +14,11 @@ jobs: dotnetSdkVersion: 3.1.401 PRNUM: ${{ github.event.pull_request.number }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 diff --git a/.github/workflows/detection-validations.yaml b/.github/workflows/detection-validations.yaml index 359804ad14b..3de064825b5 100644 --- a/.github/workflows/detection-validations.yaml +++ b/.github/workflows/detection-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/documents-link-validation.yaml b/.github/workflows/documents-link-validation.yaml index 4dc5a5d22e0..6487bb0a98a 100644 --- a/.github/workflows/documents-link-validation.yaml +++ b/.github/workflows/documents-link-validation.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/getSolutionName.yaml b/.github/workflows/getSolutionName.yaml index 9bed68070ea..970095acbf5 100644 --- a/.github/workflows/getSolutionName.yaml +++ b/.github/workflows/getSolutionName.yaml @@ -17,6 +17,11 @@ jobs: outputs: sName: "${{ steps.getSolutionName.outputs.solutionName }}" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/hyperlinkValidator.yaml b/.github/workflows/hyperlinkValidator.yaml index 4fe751bba2f..7b9ef76a564 100644 --- a/.github/workflows/hyperlinkValidator.yaml +++ b/.github/workflows/hyperlinkValidator.yaml @@ -17,6 +17,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/json-syntax-validation.yaml b/.github/workflows/json-syntax-validation.yaml index fcf9aa9c56e..c67dc2c0081 100644 --- a/.github/workflows/json-syntax-validation.yaml +++ b/.github/workflows/json-syntax-validation.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/kql-validations.yaml b/.github/workflows/kql-validations.yaml index df2531878b9..9124343cb81 100644 --- a/.github/workflows/kql-validations.yaml +++ b/.github/workflows/kql-validations.yaml @@ -14,6 +14,11 @@ jobs: dotnetSdkVersion: 6.0.x PRNUM: ${{ github.event.pull_request.number }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 diff --git a/.github/workflows/logo-validation.yaml b/.github/workflows/logo-validation.yaml index 89094175f9c..66922dfcb53 100644 --- a/.github/workflows/logo-validation.yaml +++ b/.github/workflows/logo-validation.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/neworexistingsolution.yaml b/.github/workflows/neworexistingsolution.yaml index 735024c21a7..0cf9c29debf 100644 --- a/.github/workflows/neworexistingsolution.yaml +++ b/.github/workflows/neworexistingsolution.yaml @@ -29,6 +29,11 @@ jobs: solutionOfferId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionOfferId }}" solutionPublisherId: "${{ steps.IdentifyNewOrExistingSolution.outputs.solutionPublisherId }}" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 with: fetch-depth: 2 diff --git a/.github/workflows/non-ascii-validations.yaml b/.github/workflows/non-ascii-validations.yaml index ddca1038d0b..0c3153a3954 100644 --- a/.github/workflows/non-ascii-validations.yaml +++ b/.github/workflows/non-ascii-validations.yaml @@ -14,6 +14,11 @@ jobs: buildConfiguration: Release dotnetSdkVersion: 3.1.401 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - name: Use .NET Core SDK ${{ env.dotnetSdkVersion }} uses: actions/setup-dotnet@v4 diff --git a/.github/workflows/package-command.yaml b/.github/workflows/package-command.yaml index 3f23189dee0..38783d2dc73 100644 --- a/.github/workflows/package-command.yaml +++ b/.github/workflows/package-command.yaml @@ -27,6 +27,11 @@ jobs: is-automated-pr: ${{ steps.checkAutomatedPR.outputs.isAutomatedPR }} package-created: ${{ steps.validateAndCreatePackage.outputs.isCreatePackage }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Validate inputs run: | if [ -z "${{ env.BRANCH_NAME }}" ]; then diff --git a/.github/workflows/playbook-validations.yaml b/.github/workflows/playbook-validations.yaml index a94d3d100aa..5322adb4b0b 100644 --- a/.github/workflows/playbook-validations.yaml +++ b/.github/workflows/playbook-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/pullRequestStatus.yaml b/.github/workflows/pullRequestStatus.yaml index bfcd287bc52..89d5bc4397f 100644 --- a/.github/workflows/pullRequestStatus.yaml +++ b/.github/workflows/pullRequestStatus.yaml @@ -14,6 +14,11 @@ jobs: outputs: isPullRequestMerged: ${{ steps.getPullRequestStatus.outputs.isPullRequestMerged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Get Pull Request Status shell: pwsh id: getPullRequestStatus diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml index 1e6037d3e33..b7162e33464 100644 --- a/.github/workflows/runAsimSchemaAndDataTesters.yaml +++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml @@ -43,6 +43,11 @@ jobs: outputs: approved: ${{ steps.check-approval.outputs.approved }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Check if PR needs approval id: check-approval run: | @@ -195,6 +200,11 @@ jobs: if: needs.security-gate.outputs.approved == 'true' runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout pull request branch uses: actions/checkout@v3 with: @@ -246,6 +256,11 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout pull request branch uses: actions/checkout@v4 with: @@ -307,6 +322,11 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout pull request branch uses: actions/checkout@v3 with: @@ -371,6 +391,11 @@ jobs: id-token: write contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout pull request branch uses: actions/checkout@v3 with: diff --git a/.github/workflows/sample-data-validation.yaml b/.github/workflows/sample-data-validation.yaml index 569188d1fb0..784f3602fef 100644 --- a/.github/workflows/sample-data-validation.yaml +++ b/.github/workflows/sample-data-validation.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/slash-command-armttk.yaml b/.github/workflows/slash-command-armttk.yaml index 6a9e01fb620..82858e928f9 100644 --- a/.github/workflows/slash-command-armttk.yaml +++ b/.github/workflows/slash-command-armttk.yaml @@ -19,6 +19,11 @@ jobs: mainTemplateChanged: ${{ steps.step1.outputs.mainTemplateChanged }} createUiChanged: ${{ steps.step1.outputs.createUiChanged }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Get PR details and validate id: get-pr uses: actions/github-script@v7 diff --git a/.github/workflows/slash-command-dispatch.yaml b/.github/workflows/slash-command-dispatch.yaml index f2162a8651a..36ad1f303ad 100644 --- a/.github/workflows/slash-command-dispatch.yaml +++ b/.github/workflows/slash-command-dispatch.yaml @@ -38,6 +38,11 @@ jobs: needs.pull-request-status.outputs.isPullRequestMerged == 'False' && !github.event.pull_request.head.repo.fork steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate GitHub App token id: generate_token uses: actions/create-github-app-token@333678481b1f02ee31fa1443aba4f1f7cb5b08b5 # v2.0.0 diff --git a/.github/workflows/solution-validations.yaml b/.github/workflows/solution-validations.yaml index b71e9c36080..814dfb58692 100644 --- a/.github/workflows/solution-validations.yaml +++ b/.github/workflows/solution-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/solutionIntegration.yaml b/.github/workflows/solutionIntegration.yaml index 225a505dcfc..8fdfa186ca8 100644 --- a/.github/workflows/solutionIntegration.yaml +++ b/.github/workflows/solutionIntegration.yaml @@ -19,6 +19,11 @@ jobs: name: Solution Integration Testing - Testim.io runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout pull request branch uses: actions/checkout@v3 with: diff --git a/.github/workflows/update-solutions-analyzer.yml b/.github/workflows/update-solutions-analyzer.yml index 5bd04ab73eb..f9e67f13562 100644 --- a/.github/workflows/update-solutions-analyzer.yml +++ b/.github/workflows/update-solutions-analyzer.yml @@ -22,6 +22,11 @@ jobs: pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@v4 with: diff --git a/.github/workflows/validateClassicAppInsights.yaml b/.github/workflows/validateClassicAppInsights.yaml index 99de47bcc91..b1a4a1f52b1 100644 --- a/.github/workflows/validateClassicAppInsights.yaml +++ b/.github/workflows/validateClassicAppInsights.yaml @@ -22,6 +22,11 @@ jobs: if: ${{ github.actor != 'dependabot[bot]' && !github.event.pull_request.merged && !github.event.pull_request.head.repo.fork }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/validateFieldTypes.yaml b/.github/workflows/validateFieldTypes.yaml index 59f5a03c241..c52b1b16069 100644 --- a/.github/workflows/validateFieldTypes.yaml +++ b/.github/workflows/validateFieldTypes.yaml @@ -21,6 +21,11 @@ jobs: if: ${{ !github.event.pull_request.head.repo.fork && !contains(github.event.client_payload.pull_request.head.ref , 'dependabot/') && !contains(github.event.client_payload.pullRequestBranchName , 'dependabot/') }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - name: Generate a token id: generate_token uses: actions/create-github-app-token@46e4a501e119d39574a54e53a06c9a705efc55c9 diff --git a/.github/workflows/validateVersionChangedInDetections.yml b/.github/workflows/validateVersionChangedInDetections.yml index 6e2beb51002..a00d895b78b 100644 --- a/.github/workflows/validateVersionChangedInDetections.yml +++ b/.github/workflows/validateVersionChangedInDetections.yml @@ -19,6 +19,11 @@ jobs: # check out and run the script steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v1 - name: Check that template version was updated diff --git a/.github/workflows/workbook-metadata-validations.yaml b/.github/workflows/workbook-metadata-validations.yaml index da93e965104..8fbca38d780 100644 --- a/.github/workflows/workbook-metadata-validations.yaml +++ b/.github/workflows/workbook-metadata-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/workbook-template-validations.yaml b/.github/workflows/workbook-template-validations.yaml index 3a8a293bd4f..e43d0b1f5d4 100644 --- a/.github/workflows/workbook-template-validations.yaml +++ b/.github/workflows/workbook-template-validations.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install diff --git a/.github/workflows/yaml-syntax-validation.yaml b/.github/workflows/yaml-syntax-validation.yaml index 1c1f9de65c7..a5b26917669 100644 --- a/.github/workflows/yaml-syntax-validation.yaml +++ b/.github/workflows/yaml-syntax-validation.yaml @@ -18,6 +18,11 @@ jobs: GITHUBAPPPRIVATEKEY: ${{ secrets.APPLICATION_PRIVATE_KEY }} SYSTEM_PULLREQUEST_ISFORK: ${{ github.event.pull_request.head.repo.fork }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 + with: + egress-policy: audit + - uses: actions/checkout@v4 - run: npm install -g npm@6.14.18;which npm;npm -v - name: npm install