From b3fb5fe782dacbfddc3992d7225eb83885d0bb89 Mon Sep 17 00:00:00 2001
From: Mihail Mihov <mihail.mihov@limechain.tech>
Date: Thu, 31 Oct 2024 11:43:51 +0200
Subject: [PATCH] ci: Update per Q3 audit findings

Signed-off-by: Mihail Mihov <mihail.mihov@limechain.tech>
---
 .github/workflows/flow-deploy-release-artifact.yaml | 10 ++++++++++
 .github/workflows/flow-pull-request-formatting.yaml |  5 +++++
 .github/workflows/zxc-code-analysis.yaml            |  5 +++++
 .github/workflows/zxc-compile-code.yaml             |  5 +++++
 .github/workflows/zxc-release-maven-central.yaml    |  5 +++++
 .github/workflows/zxf-snyk-monitor.yaml             |  5 +++++
 6 files changed, 35 insertions(+)

diff --git a/.github/workflows/flow-deploy-release-artifact.yaml b/.github/workflows/flow-deploy-release-artifact.yaml
index f70f8f79..98a5ee0b 100644
--- a/.github/workflows/flow-deploy-release-artifact.yaml
+++ b/.github/workflows/flow-deploy-release-artifact.yaml
@@ -61,6 +61,11 @@ jobs:
     outputs:
       version: ${{ steps.tag.outputs.version }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
@@ -122,6 +127,11 @@ jobs:
     needs:
       - publish-maven-central
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
diff --git a/.github/workflows/flow-pull-request-formatting.yaml b/.github/workflows/flow-pull-request-formatting.yaml
index 77cb7252..693e305d 100644
--- a/.github/workflows/flow-pull-request-formatting.yaml
+++ b/.github/workflows/flow-pull-request-formatting.yaml
@@ -40,6 +40,11 @@ jobs:
     name: Title Check
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Check PR Title
         uses: step-security/conventional-pr-title-action@19fb561b33015fd2184055a05ce5a3bcf2ba3f54 # v3.2.0
         env:
diff --git a/.github/workflows/zxc-code-analysis.yaml b/.github/workflows/zxc-code-analysis.yaml
index 407c1d53..a344d2b9 100644
--- a/.github/workflows/zxc-code-analysis.yaml
+++ b/.github/workflows/zxc-code-analysis.yaml
@@ -102,6 +102,11 @@ jobs:
     name: ${{ inputs.custom-job-label || 'Analyze' }}
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
diff --git a/.github/workflows/zxc-compile-code.yaml b/.github/workflows/zxc-compile-code.yaml
index 68b3bcaa..8bbd4fbe 100644
--- a/.github/workflows/zxc-compile-code.yaml
+++ b/.github/workflows/zxc-compile-code.yaml
@@ -87,6 +87,11 @@ jobs:
     name: ${{ inputs.custom-job-label || 'Compiles' }}
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
diff --git a/.github/workflows/zxc-release-maven-central.yaml b/.github/workflows/zxc-release-maven-central.yaml
index 6b682a5f..4a4fb2a9 100644
--- a/.github/workflows/zxc-release-maven-central.yaml
+++ b/.github/workflows/zxc-release-maven-central.yaml
@@ -94,6 +94,11 @@ jobs:
     outputs:
       notes: ${{ steps.create-release-notes.outputs.RELEASE_NOTES }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
diff --git a/.github/workflows/zxf-snyk-monitor.yaml b/.github/workflows/zxf-snyk-monitor.yaml
index 678cb8d5..16b81710 100644
--- a/.github/workflows/zxf-snyk-monitor.yaml
+++ b/.github/workflows/zxf-snyk-monitor.yaml
@@ -37,6 +37,11 @@ jobs:
     name: Snyk Monitor
     runs-on: solo-linux-medium
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1