[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
inventage · Dec 17, 2023 · 400c5e2 · 400c5e2
1 parent 7e03cd6
commit 400c5e2
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 6 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -36,3 +36,18 @@ updates:
     directory: /packages/avatar-image
     schedule:
       interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/cem-preset
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/dev-helpers
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /plugins/markdown-storybook
+    schedule:
+      interval: daily
diff --git a/.github/workflows/deploy-main.yml b/.github/workflows/deploy-main.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     if: github.repository_owner == 'inventage' && github.ref == 'refs/heads/main'

diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -49,7 +49,7 @@ jobs:
       - name: Storybook Build
         run: npm run storybook:build
 
-      - uses: gacts/github-slug@v1
+      - uses: gacts/github-slug@ee992367ac8f20b63d223a84858cc8e4d6842382 # v1.3.0
         id: slug
 
       - run: |
@@ -77,7 +77,7 @@ jobs:
 
       # Creates a status check with link to preview
       - name: Status check
-        uses: Sibz/github-status-action@v1.1.6
+        uses: Sibz/github-status-action@650dd1a882a76dbbbc4576fb5974b8d22f29847f # v1.1.6
         with:
           authToken: ${{ secrets.GITHUB_TOKEN }}
           context: Deployment
@@ -86,7 +86,7 @@ jobs:
           target_url: ${{ env.DEPLOY_URL }}
 
       - name: Comment PR
-        uses: thollander/actions-comment-pull-request@v2
+        uses: thollander/actions-comment-pull-request@1d3973dc4b8e1399c0620d3f2b1aa5e795465308 # v2.4.3
         if: ${{ github.event_name == 'pull_request' }}
         with:
           message: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -58,7 +58,7 @@ jobs:
 
       - name: Cache Playwright Browsers for Playwright's Version
         id: cache-playwright-browsers
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/ms-playwright
           key: playwright-browsers-${{ env.PLAYWRIGHT_VERSION }}

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -53,7 +53,7 @@ jobs:
 
       - name: Cache Playwright Browsers for Playwright's Version
         id: cache-playwright-browsers
-        uses: actions/cache@v3
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/ms-playwright
           key: playwright-browsers-${{ env.PLAYWRIGHT_VERSION }}

diff --git a/.github/workflows/vrt.yml b/.github/workflows/vrt.yml
@@ -20,6 +20,11 @@ jobs:
     runs-on: macos-12
     if: false
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
         with:
@@ -44,7 +49,7 @@ jobs:
         run: npm run test:vrt
 
       - name: Archive visual diff results
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: failure()
         with:
           name: visual-diffs