From f938925f71f6abbf4a4fb7dac1b47bae8c28141a Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Mon, 9 Jan 2023 07:04:59 -0800
Subject: [PATCH] ci: [StepSecurity] Apply security best practices (#16)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Erik Godding Boye <egboye@gmail.com>
---
 .github/dependabot.yml       |  8 ++++++++
 .github/workflows/build.yaml | 15 ++++++++++-----
 .github/workflows/ci.yml     | 24 +++++++++++++++++-------
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1c72da90..235e4fa0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -17,3 +17,11 @@ updates:
     commit-message:
       prefix: ci
       include: scope
+  # Maintain dependencies for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+    commit-message:
+      prefix: build
+      include: scope
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3ed95f92..dd2dfea3 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -18,15 +18,20 @@ jobs:
       packages: write # for docker/build-push-action to push images
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - uses: docker/login-action@v2
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/metadata-action@v4
+      - uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1
         id: meta
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -38,7 +43,7 @@ jobs:
             # disabled if major zero
             type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
             type=ref,event=branch
-      - uses: docker/build-push-action@v3
+      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           context: .
           push: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e198dd52..b1f34d15 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -85,10 +85,15 @@ jobs:
     needs: test
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
-      - uses: docker/build-push-action@v3
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0
         with:
           context: .
           push: false
@@ -96,7 +101,7 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
           outputs: type=docker,dest=/tmp/controller-image.tar
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: controller-image
           path: /tmp/controller-image.tar
@@ -104,12 +109,17 @@ jobs:
     needs: build-image
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: controller-image
           path: /tmp
-      - uses: AbsaOSS/k3d-action@v2
+      - uses: AbsaOSS/k3d-action@597f8436a25d6d2e8e46a5047ed986a833a6674c # v2.4.0
         with:
           cluster-name: image-scanner
           args: >-
@@ -120,7 +130,7 @@ jobs:
       - run: |
           k3d image import --cluster image-scanner /tmp/controller-image.tar
           make deploy-dependencies deploy
-      - uses: jaxxstorm/action-install-gh-release@v1
+      - uses: jaxxstorm/action-install-gh-release@f2bcf7617d36fea65f0a9d261d4947b19947956e # v1.9.0
         with:
           repo: kudobuilder/kuttl
           tag: v0.15.0