[StepSecurity] Apply security best practices

.github/workflows/ccip-integration-test.yml

@@ -14,8 +14,13 @@ jobs:
     outputs:
       e2e_should_run: ${{ steps.changes.outputs.e2e_should_run }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           persist-credentials: false
       - name: Detect changes
@@ -80,8 +85,13 @@ jobs:
     name: Integration Tests (${{ matrix.type.name }})
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the chainlink-ccip repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Determine Go version
         id: go_version
         run: echo "GO_VERSION=$(cat go.mod |grep "^go"|cut -d' ' -f 2)" >> $GITHUB_ENV
@@ -93,7 +103,7 @@ jobs:
         run: go version
       - name: Fetch latest pull request data
         id: fetch_pr_data
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         # only run this step if the event is a pull request or merge_group
         if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
         with:
@@ -167,7 +177,7 @@ jobs:
             echo "::set-output name=ref::$default"
           fi
       - name: Clone Chainlink repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           repository: smartcontractkit/chainlink
           ref: ${{ steps.get_chainlink_sha.outputs.ref }}
@@ -225,6 +235,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [integration-test-matrix]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Fail the job if ccip tests in PR not successful
         if: always() && needs.integration-test-matrix.result == 'failure'
         run: exit 1

.github/workflows/ccip-ocr3-build-lint-test.yml

@@ -14,8 +14,13 @@ jobs:
       run:
         working-directory: .
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
       - name: Determine Go version
@@ -58,7 +63,7 @@ jobs:
           total=$(go tool cover -func=coverage_target.out | grep total | awk '{print $3}')
           echo "coverage_target=$total" >> $GITHUB_ENV
       - name: Remove previous coverage comments
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         if: github.event_name == 'pull_request'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -80,7 +85,7 @@ jobs:
               }
             }
       - name: Display coverage in PR comment
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         if: github.event_name == 'pull_request'
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codegen.yml

@@ -8,14 +8,22 @@ on:
     branches:
       - 'main'
 
+permissions:
+  contents: read
+
 jobs:
   codegen-verifier:
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: .
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Determine Go version
         id: go_version
         run: echo "GO_VERSION=$(cat go.mod |grep "^go"|cut -d' ' -f 2)" >> $GITHUB_ENV

.github/workflows/idl-compatibility-check.yml

@@ -14,21 +14,29 @@ on:
       - "chains/solana/contracts/target/idl/rmn_remote.json"
     types: [opened, synchronize, reopened, labeled, unlabeled]
 
+permissions:
+  contents: read
+
 jobs:
   check-idl-changes:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
       contents: read
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
 
       - name: Check for bypass label
         id: check-bypass
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const { data: labels } = await github.rest.issues.listLabelsOnIssue({
@@ -62,7 +70,7 @@ jobs:
 
       - name: Comment on PR
         if: steps.check-bypass.outputs.result != 'true'
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const changedFiles = `${{ steps.changed-files.outputs.files }}`.trim().split(' ').filter(Boolean);

.github/workflows/solana-verified-build.yml

@@ -18,8 +18,13 @@ jobs:
     outputs:
       solana_changes: ${{ steps.changes.outputs.solana_changes }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           persist-credentials: false
       - name: Detect changes
@@ -37,7 +42,12 @@ jobs:
     if: ${{ needs.changes.outputs.solana_changes == 'true' }}
     runs-on: ubuntu-latest-8cores-32GB
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         fetch-depth: 0
     - name: Get Long and Short SHAs
@@ -46,7 +56,7 @@ jobs:
         FULL_SHA=$(git rev-parse ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.sha || github.sha }})
         echo "short_sha=${FULL_SHA:0:12}" >> $GITHUB_OUTPUT
         echo "full_sha=$FULL_SHA" >> $GITHUB_OUTPUT
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       with:
         ref: ${{ steps.get_sha.outputs.full_sha }}
         fetch-depth: 0
@@ -56,7 +66,7 @@ jobs:
         cargo install solana-verify@0.4.6
     - name: Cache cargo target dir
       id: cache-target
-      uses: actions/cache@v4 # v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: chains/solana/contracts/target/deploy/*.so
         key: ${{ runner.os }}-solana-contract-verified-${{ hashFiles('chains/solana/contracts/**/*.rs', 'chains/solana/contracts/**/Cargo.lock') }}

.github/workflows/solana.yml

@@ -14,15 +14,26 @@ defaults:
   run:
     working-directory: ./chains/solana
 
+permissions:
+  contents: read
+
 jobs:
   changes:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: Detect changes
     runs-on: ubuntu-latest
     outputs:
       solana_changes: ${{ steps.changes.outputs.solana_changes }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           persist-credentials: false
       - name: Detect changes
@@ -43,8 +54,13 @@ jobs:
     outputs:
       anchor_version: ${{ steps.anchorversion.outputs.anchor }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
       - name: Checkout the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Get Anchor Version
         id: anchorversion
         run: |
@@ -57,7 +73,12 @@ jobs:
     name: cache build artifacts
     runs-on: ubuntu-latest-8cores-32GB
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
     - name: cache docker build image
       id: cache-image
       uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
@@ -95,7 +116,12 @@ jobs:
     name: rust tests
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
     - name: Cache cargo target dir
       uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       with:
@@ -131,7 +157,12 @@ jobs:
     name: go tests
     runs-on: ubuntu-latest-8cores-32GB
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Cache cargo target dir
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
@@ -178,7 +209,12 @@ jobs:
     name: lint + check artifacts
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - name: Cache cargo target dir
         uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with: