From 88329cd2a39a0eac93cfd4a289ae0b1773f5980a Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Thu, 30 Oct 2025 17:42:39 +0000 Subject: [PATCH 1/2] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/recibo_python_test.yaml | 9 +++++++-- .github/workflows/recibo_test.yaml | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/recibo_python_test.yaml b/.github/workflows/recibo_python_test.yaml index d1b52dc..9b2b596 100644 --- a/.github/workflows/recibo_python_test.yaml +++ b/.github/workflows/recibo_python_test.yaml @@ -32,15 +32,20 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Update submodules run: git submodule update --init --recursive shell: bash - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: nightly diff --git a/.github/workflows/recibo_test.yaml b/.github/workflows/recibo_test.yaml index d36f647..0efe8d9 100644 --- a/.github/workflows/recibo_test.yaml +++ b/.github/workflows/recibo_test.yaml @@ -31,15 +31,20 @@ jobs: run_recibo_tests: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + - name: Check out repository code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Update submodules run: git submodule update --init --recursive shell: bash - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@50d5a8956f2e319df19e6b57539d7e2acb9f8c1e # v1.5.0 with: version: nightly From 5219699d9c6ae6fe58255a4a6c054f596028c1bd Mon Sep 17 00:00:00 2001 From: Ali Kafel Date: Thu, 6 Nov 2025 12:00:40 -0500 Subject: [PATCH 2/2] add --- .github/workflows/recibo_python_test.yaml | 10 ++++++---- .github/workflows/recibo_test.yaml | 9 ++++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/recibo_python_test.yaml b/.github/workflows/recibo_python_test.yaml index 9b2b596..ad88e3a 100644 --- a/.github/workflows/recibo_python_test.yaml +++ b/.github/workflows/recibo_python_test.yaml @@ -30,12 +30,14 @@ env: jobs: run_recibo_tests: runs-on: ubuntu-latest - + permissions: + id-token: write steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Check out repository code uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 diff --git a/.github/workflows/recibo_test.yaml b/.github/workflows/recibo_test.yaml index 0efe8d9..4f70639 100644 --- a/.github/workflows/recibo_test.yaml +++ b/.github/workflows/recibo_test.yaml @@ -30,11 +30,14 @@ env: jobs: run_recibo_tests: runs-on: ubuntu-latest + permissions: + id-token: write steps: - - name: Harden the runner (Audit all outbound calls) - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + - name: Harden the runner + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 with: - egress-policy: audit + egress-policy: block + policy: global-allowed-endpoints-policy - name: Check out repository code uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0