use StepSecurity Secure Workflows for project management #49

2026-05-14 14:10:14 +02:00 · 2022-07-24 21:22:31 +01:00
parent 8e03759e2f
commit 875e6d6260
4 changed files with 53 additions and 8 deletions
@@ -8,34 +8,45 @@ on:
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

+permissions:
+  contents: read
+
 jobs:
  assign-to-project:
+    permissions:
+      repository-projects: write  # for srggrs/assign-one-project-github-action to assign issues and PRs to repo project
    runs-on: ubuntu-latest
    name: Assign to Project
    steps:
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
    - name: Assign Issues to Bugs
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
      if: contains(github.event.issue.labels.*.name, 'bug')
      with:
        project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
        column_name: 'Needs triage'

    - name: Assign Issues to Enhancements
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
      if: contains(github.event.issue.labels.*.name, 'enhancement')
      with:
        project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
        column_name: 'To do'

    - name: Assign PRs to Bugs
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
      if: contains(github.event.pull_request.labels.*.name, 'bug')
      with:
        project: 'https://github.com/irongut/CodeCoverageSummary/projects/1'
        column_name: 'In Progress'

    - name: Assign PRs to Enhancements
-      uses: srggrs/assign-one-project-github-action@1.3.1
+      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
      if: contains(github.event.pull_request.labels.*.name, 'enhancement')
      with:
        project: 'https://github.com/irongut/CodeCoverageSummary/projects/2'
@@ -7,11 +7,22 @@ on:
  pull_request:
    types: [opened]

+permissions:
+  contents: read
+
 jobs:
  assignAuthor:
+    permissions:
+      pull-requests: write  # for samspills/assign-pr-to-author
    runs-on: ubuntu-latest
    steps:
+
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
    - name: Auto Assign PR
-      uses: samspills/assign-pr-to-author@v1.0.1
+      uses: samspills/assign-pr-to-author@223a87a821f7e7447cfb5221bc53ceeb633341c2
      with:
        repo-token: '${{ secrets.GITHUB_TOKEN }}'
@@ -4,14 +4,25 @@ on:
  schedule:
  - cron: "30 1 * * *"

+permissions:
+  contents: read
+
 jobs:
  stale:

+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
-
    steps:
+
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
    - name: Mark Stale
-      uses: actions/stale@v3
+      uses: actions/stale@98ed4cb500039dbcccf4bd9bedada4d0187f2757
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        exempt-all-milestones: true
@@ -7,10 +7,22 @@ name: PR Labeler
 on: 
  pull_request_target:

+permissions:
+  contents: read
+
 jobs:
  label:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/labeler@v3
+    
+    - name: Harden Runner
+      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"