[StepSecurity] Apply security best practices (#6)

Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: Krisztian Notaisz <[email protected]>
morganstanley · Nov 8, 2024 · e2af14a · e2af14a
1 parent a93ca03
commit e2af14a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 10 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,8 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,9 @@ on:
           - minor
           - major
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -22,11 +25,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Set up Python 3.7
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.7
       - run: pip install --upgrade pip
@@ -37,7 +40,7 @@ jobs:
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
       - run: bumpver update --${{inputs.releaseType}}
       - run: python -m build
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3.2.1
         with:
           name: package
           path: dist/
@@ -47,19 +50,19 @@ jobs:
     needs: [build]
 
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: package
           path: dist/
 
       - name: Publish to Test PyPI
         if: ${{github.ref_name == 'test_pypi'}}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@61da13deb5f5124fb1536194f82ed3d9bbc7e8f3 # release/v1
         with:
           password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
       - name: Publish to PyPI
         if: ${{github.ref_name != 'test_pypi'}}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@61da13deb5f5124fb1536194f82ed3d9bbc7e8f3 # release/v1
         with:
           password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
@@ -3,16 +3,19 @@ name: PR Test
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python 3.7
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.7
       - name: Install package
@@ -32,9 +35,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install package