From 06a03e0e2120aad1e291dadc1e85bfa71aee3c05 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 15:11:07 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/publish.yml | 14 +++++++++++--- .pre-commit-config.yaml | 9 +++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 177e20b..014ddae 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,6 +3,9 @@ name: Build & Publish on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -10,11 +13,16 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 with: python-version: '3.8' - name: Install and Upgrade pip @@ -30,7 +38,7 @@ jobs: - name: package egg run: python setup.py bdist_egg - name: Deploy to PyPI - uses: pypa/gh-action-pypi-publish@master + uses: pypa/gh-action-pypi-publish@c1b34028248d0c9f7d90fe29fef2122e2276ff6f # master with: user: __token__ password: ${{ secrets.PYPI_DEPLOY_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..e788a3e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,9 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer