diff --git a/.github/workflows/check-semver.yml b/.github/workflows/check-semver.yml index ef56a78..f946085 100644 --- a/.github/workflows/check-semver.yml +++ b/.github/workflows/check-semver.yml @@ -14,10 +14,11 @@ jobs: name: Check labels runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - name: Harden the runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + use-policy-store: true + api-key: ${{ secrets.STEPSECURITY_POLICY_STORE_API_KEY }} - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 71ae4a3..7709f53 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -19,10 +19,11 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - name: Harden the runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + use-policy-store: true + api-key: ${{ secrets.STEPSECURITY_POLICY_STORE_API_KEY }} - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/publish_to_pypi.yml b/.github/workflows/publish_to_pypi.yml index 96775b9..1ceef63 100644 --- a/.github/workflows/publish_to_pypi.yml +++ b/.github/workflows/publish_to_pypi.yml @@ -20,10 +20,11 @@ jobs: id-token: write steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - name: Harden the runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + use-policy-store: true + api-key: ${{ secrets.STEPSECURITY_POLICY_STORE_API_KEY }} - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/release-on-push.yml b/.github/workflows/release-on-push.yml index 6248b95..166a29f 100644 --- a/.github/workflows/release-on-push.yml +++ b/.github/workflows/release-on-push.yml @@ -11,10 +11,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - name: Harden the runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + use-policy-store: true + api-key: ${{ secrets.STEPSECURITY_POLICY_STORE_API_KEY }} - uses: rymndhng/release-on-push-action@aebba2bbce07a9474bf95e8710e5ee8a9e922fe2 # v0.28.0 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index cf3ac16..2c636c3 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -26,10 +26,11 @@ jobs: python-version: [ '3.11', '3.12', '3.13' ] steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 + - name: Harden the runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + use-policy-store: true + api-key: ${{ secrets.STEPSECURITY_POLICY_STORE_API_KEY }} - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4