Skip to content

Consider running Step Security on your repo #2035

New issue
New issue
Open
Open
Consider running Step Security on your repo#2035
Labels
Build IssueIssues related to build or environment problems on any platform.good first issueStandard label for new developers to locate good issues to tackle to learn about OCIO development.help wantedIssues that the TSC has decided are worth implementing, but don't currently have the dev resources.
@cary-ilm

Description

@cary-ilm
cary-ilm
opened on Sep 2, 2024

StepSecurity automatically generates a pull request that adds several hardening measures to your repo. Run it here.

By default, the process will create one composite PR that makes multiple changes. I recommend running it several times to create separate PRs for each feature.

The changes it makes include:

  1. dependabot - registers the repo with a GitHub service that subsequently submits PRs to upgrade to new releases of workflow actions. An example OpenEXR PR is here.
  2. Set workflow permissions to read at the top level, and enable write permissions only on the steps that require it.
  3. Pin workflow releases to explicit SHA values rather than named releases.
  4. Adds a "Harden Runner" step that monitors CI jobs, although note that this does not work with the current release of the ASWF images, don't enable this for any workflow that uses the prebuilt images.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Build IssueIssues related to build or environment problems on any platform.good first issueStandard label for new developers to locate good issues to tackle to learn about OCIO development.help wantedIssues that the TSC has decided are worth implementing, but don't currently have the dev resources.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions