[actions] add step security runner

2021-11-22 07:20:50 -08:00
parent 81fc05684d
commit 6cc90a4b8d
7 changed files with 78 additions and 0 deletions
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -8,6 +8,12 @@ jobs:
      contents: read
    runs-on: ubuntu-latest
    steps:
+      - uses: step-security/harden-runner@v1
+        with:
+          allowed-endpoints:
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
      - uses: actions/checkout@v2
      - uses: ljharb/actions/node/install@main
        name: 'nvm install ${{ matrix.node-version }} && npm install'
@@ -20,6 +26,14 @@ jobs:
      contents: read
    runs-on: ubuntu-latest
    steps:
+      - uses: step-security/harden-runner@v1
+        with:
+          allowed-endpoints:
+            ghcr.io:443
+            github.com:443
+            pkg-containers.githubusercontent.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
      - uses: actions/checkout@v2
      - uses: ljharb/actions/node/install@main
        name: 'nvm install ${{ matrix.node-version }} && npm install'
@@ -32,6 +46,12 @@ jobs:
      contents: read
    runs-on: ubuntu-latest
    steps:
+      - uses: step-security/harden-runner@v1
+        with:
+          allowed-endpoints:
+            github.com:443
+            nodejs.org:443
+            registry.npmjs.org:443
      - uses: actions/checkout@v2
      - uses: ljharb/actions/node/install@main
        name: 'nvm install ${{ matrix.node-version }} && npm install'
@@ -44,6 +64,10 @@ jobs:
      contents: read
    runs-on: ubuntu-latest
    steps:
+      - uses: step-security/harden-runner@v1
+        with:
+          allowed-endpoints:
+            github.com:443
      - uses: actions/checkout@v2
      - name: check tests filenames
        run: ./rename_test.sh --check