[StepSecurity] Apply security best practices

step-security-bot · step-security-bot · commit e3ed17023e4c · 2025-06-19T22:54:41.000Z
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -17,6 +17,9 @@ concurrency:
   group: devskim-${{ github.ref }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: DevSkim
diff --git a/.github/workflows/git-sizer-dispatch.yml b/.github/workflows/git-sizer-dispatch.yml
@@ -13,12 +13,17 @@ jobs:
     name: git-sizer - ${{ github.event.inputs.repo }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Use local git-sizer action
         id: sizer
-        uses: ChrisCarini/github-git-sizer-action@latest
+        uses: ChrisCarini/github-git-sizer-action@09eaa4ae73038a5f0bbdc7e7b964f1bf6114c277 # latest
         with:
           repo: ${{ github.event.inputs.repo }}
           flags: '--threshold=0'
diff --git a/.github/workflows/git-sizer.yml b/.github/workflows/git-sizer.yml
@@ -12,6 +12,11 @@ jobs:
     name: git-sizer - ${{ github.repository }}
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
       - name: Run git-sizer
         id: sizer
         uses: ChrisCarini/github-git-sizer-action@09eaa4ae73038a5f0bbdc7e7b964f1bf6114c277 # latest
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -2,8 +2,14 @@ name: Automatic Rebase
 on:
   issue_comment:
     types: [created]
+permissions:
+  contents: read
+
 jobs:
   rebase:
+    permissions:
+      contents: write  # for cirrus-actions/rebase to push code to rebase
+      pull-requests: read  # for cirrus-actions/rebase to get info about PR
     name: Rebase
     runs-on: ubuntu-latest
     if: >-
diff --git a/.github/workflows/spelling_action.yml b/.github/workflows/spelling_action.yml
@@ -8,6 +8,9 @@ on:
 concurrency:
   group: spellcheck-${{ github.ref }}
   cancel-in-progress: false
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Spellcheck
diff --git a/.github/workflows/summary.yml b/.github/workflows/summary.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   summary:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trufflehog.yml b/.github/workflows/trufflehog.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   trufflehog:
     runs-on: ubuntu-latest
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -33,3 +33,7 @@ repos:
       - id: check-vcs-permalinks
       # - id: pretty-format-json
       - id: check-docstring-first
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+      - id: RuboCop
