[StepSecurity] Apply security best practices (#4539)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-11-24 11:54:34 +08:00 · 2024-12-15 09:31:21 -08:00
parent 6a2ae22a5a
commit 4003f8da02
13 changed files with 374 additions and 57 deletions
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -21,11 +21,16 @@ jobs:
    runs-on: ubuntu-latest
    container: silkeh/clang:dev
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
      - name: Install git and unzip
        run: apt-get update ; apt-get install -y git unzip
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -35,9 +40,14 @@ jobs:
    runs-on: ubuntu-latest
    container: gcc:latest
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -56,7 +66,12 @@ jobs:
          ci_single_binaries    # needs iwyu
        ]
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -66,9 +81,14 @@ jobs:
    runs-on: ubuntu-latest
    container: gcc:latest
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -80,9 +100,14 @@ jobs:
      matrix:
        target: [ci_cpplint, ci_reproducible_tests, ci_non_git_tests, ci_offline_testdata]
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -95,11 +120,16 @@ jobs:
      matrix:
        target: [ci_clang_tidy, ci_test_clang_sanitizer, ci_clang_analyze]
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
      - name: Install git, clang-tools, and unzip
        run: apt-get update ; apt-get install -y git clang-tools unzip
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -112,11 +142,16 @@ jobs:
      matrix:
        target: [ci_cmake_flags, ci_test_diagnostics, ci_test_noexceptions, ci_test_noimplicitconversions, ci_test_legacycomparison, ci_test_noglobaludls]
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
      - name: Install build-essential
        run: apt-get update ; apt-get install -y build-essential unzip wget git
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -128,7 +163,12 @@ jobs:
      contents: read
      checks: write
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install dependencies and de_DE locale
        run: |
          sudo apt-get clean
@@ -141,12 +181,12 @@ jobs:
      - name: Build
        run: cmake --build build --target ci_test_coverage
      - name: Archive coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        with:
          name: code-coverage-report
          path: ${{ github.workspace }}/build/html
      - name: Publish report to Coveralls
-        uses: coverallsapp/github-action@v2.3.4
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2.3.4
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          path-to-lcov: ${{ github.workspace }}/build/json.info.filtered.noexcept
@@ -158,7 +198,12 @@ jobs:
        compiler: ['4.8', '4.9', '5', '6']
    container: ghcr.io/nlohmann/json-ci:v2.4.0
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run CMake
        run: CXX=g++-${{ matrix.compiler }} cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -172,9 +217,14 @@ jobs:
        compiler: ['7', '8', '9', '10', '11', '12', '13', '14', 'latest']
    container: gcc:${{ matrix.compiler }}
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -187,11 +237,16 @@ jobs:
        compiler: ['3.5', '3.6', '3.7', '3.8', '3.9', '4', '5', '6', '7', '8', '9', '10', '11', '12', '13', '14', '15-bullseye', '16', '17', '18', '19', 'latest']
    container: silkeh/clang:${{ matrix.compiler }}
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
      - name: Install unzip and git
        run: apt-get update ; apt-get install -y unzip git
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Set env FORCE_STDCPPFS_FLAG for clang 7 / 8 / 9 / 10
        run: echo "JSON_FORCED_GLOBAL_COMPILE_OPTIONS=-DJSON_HAS_FILESYSTEM=0;-DJSON_HAS_EXPERIMENTAL_FILESYSTEM=0" >> "$GITHUB_ENV"
        if: ${{ matrix.compiler == '7' || matrix.compiler == '8' || matrix.compiler == '9' || matrix.compiler == '10' }}
@@ -207,9 +262,14 @@ jobs:
      matrix:
        standard: [11, 14, 17, 20, 23]
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -223,11 +283,16 @@ jobs:
        standard: [11, 14, 17, 20, 23]
        stdlib: [libcxx, libstdcxx]
    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
      - name: Install git and unzip
        run: apt-get update ; apt-get install -y git unzip
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Get latest CMake and ninja
-        uses: lukka/get-cmake@v3.31.0
+        uses: lukka/get-cmake@71b7adfe2603f48bb9ed50d2b01a72499ae94885 # v3.31.0
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build with libc++
@@ -241,7 +306,12 @@ jobs:
    runs-on: ubuntu-latest
    container: ghcr.io/nlohmann/json-ci:v2.4.0
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -251,7 +321,12 @@ jobs:
    runs-on: ubuntu-latest
    container: ghcr.io/nlohmann/json-ci:v2.2.0
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build
@@ -262,8 +337,13 @@ jobs:
  ci_reuse_compliance:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
        with:
          python-version: '3.11'
      - name: Install REUSE tool
@@ -277,7 +357,12 @@ jobs:
      matrix:
        target: [ci_test_examples, ci_test_api_documentation]
    steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Run CMake
        run: cmake -S . -B build -DJSON_CI=On
      - name: Build