ci: Harden GitHub Actions [StepSecurity] (#13318)

author: StepSecurity Bot <bot@stepsecurity.io> 2025-09-19 08:30:10 -0700
committer: GitHub <noreply@github.com> 2025-09-19 17:30:10 +0200
commit: 7f3d8a34e2d850b51782f0900151413b435296d4 (patch)
tree: 60b8020323f03653c225fdbc69011eb3afb3d4e8
parent: c87eb79140ac359cf4f71604ddbf7209e1282939 (diff)
download: zsh-7f3d8a34e2d850b51782f0900151413b435296d4.tar.gz
zsh-7f3d8a34e2d850b51782f0900151413b435296d4.tar.bz2
zsh-7f3d8a34e2d850b51782f0900151413b435296d4.zip
4 files changed, 32 insertions, 7 deletions
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index 11c0ad0ef..3f448fe64 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -13,18 +13,23 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
       - name: Authenticate as @ohmyzsh
         id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.OHMYZSH_APP_ID }}
           private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: "3.12"
           cache: "pip"
diff --git a/.github/workflows/installer.yml b/.github/workflows/installer.yml
index 9e933350f..2d1de706a 100644
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@@ -25,8 +25,13 @@ jobs:
           - ubuntu-latest
           - macos-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Set up git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install zsh
         if: runner.os == 'Linux'
         run: sudo apt-get update; sudo apt-get install zsh
@@ -41,8 +46,13 @@ jobs:
     needs:
       - test
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install Vercel CLI
         run: npm install -g vercel
       - name: Setup project and deploy
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index c49324495..b48a3d32b 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -23,8 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Set up git repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Install zsh
         run: sudo apt-get update; sudo apt-get install zsh
       - name: Check syntax
diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
index 8fd4e15d4..ba971db15 100644
--- a/.github/workflows/project.yml
+++ b/.github/workflows/project.yml
@@ -16,9 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Authenticate as @ohmyzsh
         id: generate-token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         with:
           app-id: ${{ secrets.OHMYZSH_APP_ID }}
           private-key: ${{ secrets.OHMYZSH_APP_PRIVATE_KEY }}
author	StepSecurity Bot <bot@stepsecurity.io>	2025-09-19 08:30:10 -0700
committer	GitHub <noreply@github.com>	2025-09-19 17:30:10 +0200
commit	7f3d8a34e2d850b51782f0900151413b435296d4 (patch)
tree	60b8020323f03653c225fdbc69011eb3afb3d4e8
parent	c87eb79140ac359cf4f71604ddbf7209e1282939 (diff)
download	zsh-7f3d8a34e2d850b51782f0900151413b435296d4.tar.gz zsh-7f3d8a34e2d850b51782f0900151413b435296d4.tar.bz2 zsh-7f3d8a34e2d850b51782f0900151413b435296d4.zip