From 787a37ce347e06b9e5b4677de36f422f1dc9c32d Mon Sep 17 00:00:00 2001
From: Dave Thaler <dthaler@microsoft.com>
Date: Wed, 8 Jun 2022 20:23:39 -0700
Subject: [PATCH] Harden workflows

per https://app.stepsecurity.io

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
---
 .github/workflows/ci-build-windows.yaml | 12 ++++++++++--
 .github/workflows/ci-build.yaml         | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-build-windows.yaml b/.github/workflows/ci-build-windows.yaml
index ea8e0a996..35dafe6f3 100644
--- a/.github/workflows/ci-build-windows.yaml
+++ b/.github/workflows/ci-build-windows.yaml
@@ -13,11 +13,19 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest
     
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Set up git env
         run: |
           git config --global core.autocrlf false
@@ -25,7 +33,7 @@ jobs:
           echo "GOPATH=$gopath" >> $env:GITHUB_ENV
 
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
       
       - name: Format
         run: |
@@ -46,7 +54,7 @@ jobs:
         run: |
           go test -tags WINDOWS ./...
 
-      - uses: dominikh/staticcheck-action@v1.1.0
+      - uses: dominikh/staticcheck-action@4ec9a0dff54be2642bc76581598ba433fd8d4967
         with:
           version: "2021.1.2"
           install-go: false
diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml
index 68facee97..1f81ecce1 100644
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -12,13 +15,18 @@ jobs:
       image: golang:1.16.10-alpine3.14
     
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - name: Set up environment
         run : |
           apk update
           apk add gcc libc-dev bash perl curl make
           
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
 
       - name: Format
         run: |
@@ -38,7 +46,7 @@ jobs:
         run: |
           go test ./...
 
-      - uses: dominikh/staticcheck-action@v1.1.0
+      - uses: dominikh/staticcheck-action@4ec9a0dff54be2642bc76581598ba433fd8d4967
         with:
           version: "2021.1.2"
           install-go: false