diff --git a/.github/workflows/chatacter.yml b/.github/workflows/chatacter.yml index 8d8dc50e..c7c3a4f9 100644 --- a/.github/workflows/chatacter.yml +++ b/.github/workflows/chatacter.yml @@ -7,15 +7,20 @@ jobs: Documentation: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v5.0.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up UV - uses: astral-sh/setup-uv@v7.1.2 + uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2 with: enable-cache: true cache-dependency-glob: "uv.lock" - name: Set up Python - uses: actions/setup-python@v6.0.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version-file: ".python-version" - name: Install the project @@ -25,11 +30,16 @@ jobs: SonarCloud: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5.0.0 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@v5.0.0 + uses: SonarSource/sonarcloud-github-action@ffc3010689be73b8e5ae0c57ce35968afd7909e8 # v5.0.0 env: GITHUB_TOKEN: ${{ secrets.TOKEN_GITHUB }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}