StepSecurity automatically generates a pull request that adds several hardening measures to your repo. Run it here.
By default, the process will create one composite PR that makes multiple changes. I recommend running it several times to create separate PRs for each feature.
The changes it makes include:
dependabot - registers the repo with a GitHub service that subsequently submits PRs to upgrade to new releases of workflow actions. An example OpenEXR PR is here.
Set workflow permissions to read at the top level, and enable write permissions only on the steps that require it.
Pin workflow releases to explicit SHA values rather than named releases.
Adds a "Harden Runner" step that monitors CI jobs, although note that this does not work with the current release of the ASWF images, don't enable this for any workflow that uses the prebuilt images.
StepSecurity automatically generates a pull request that adds several hardening measures to your repo. Run it here.
By default, the process will create one composite PR that makes multiple changes. I recommend running it several times to create separate PRs for each feature.
The changes it makes include: