[StepSecurity] Apply security best practices

.github/workflows/build.yaml

@@ -3,6 +3,9 @@ name: Build
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
@@ -16,6 +19,11 @@ jobs:
       CGO_ENABLED: 0
       TAG: ${{ github.ref_name }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
         with:

.github/workflows/clean-cache.yaml

@@ -13,6 +13,11 @@ jobs:
   cleanup:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Cleanup
         run: |
           echo "Fetching list of cache keys"

.github/workflows/lint-gh-actions.yaml

@@ -15,6 +15,11 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
 

.github/workflows/lint.yaml

@@ -14,6 +14,11 @@ jobs:
     name: Run Linter
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
         with:

.github/workflows/pull-request.yaml

@@ -10,6 +10,9 @@ on:
       - go.sum
       - main.go
 
+permissions:
+  contents: read
+
 jobs:
   Lint:
     uses: ./.github/workflows/lint.yaml

.github/workflows/release-prod.yaml

@@ -7,6 +7,9 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "**/v[0-9]+.[0-9]+.[0-9]+"
 
+permissions:
+  contents: read
+
 jobs:
   Lint:
     uses: ./.github/workflows/lint.yaml

.github/workflows/security.yaml

@@ -26,6 +26,11 @@ jobs:
     name: Golang Security Checker
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Run Gosec Security Scanner
@@ -42,6 +47,11 @@ jobs:
     name: govulncheck
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - id: govulncheck
         uses: nicholas-fedor/govulncheck-action@b438bbbcb5a07abf8d322c367da4a3d45f99e183
         with:

.github/workflows/test.yaml

@@ -20,6 +20,11 @@ jobs:
           - windows-latest
           - ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
         with:

.github/workflows/update-go-docs.yaml

@@ -11,5 +11,10 @@ jobs:
     name: Refresh pkg.go.dev
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          egress-policy: audit
+
       - name: Pull new module version
         uses: nicholas-fedor/go-proxy-pull-action@66b03fb08ba765cb8fc0937ad13bf7a5f703163c