From a545e3e17926ee259aac995004f0ebf65508e15a Mon Sep 17 00:00:00 2001
From: David Geary <david@secondbounce.com>
Date: Thu, 15 Aug 2024 17:20:06 +0100
Subject: [PATCH] Improve security of 'create release' workflow

---
 .github/workflows/create-release.yml | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index eb6815c..675dcf6 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -9,6 +9,9 @@ env:
   PREFIX_REGEX: 'build#(.*)'
   IS_PRERELEASE: ${{ !startsWith(github.ref, 'refs/tags/build#') || contains(github.ref, '-') }}
 
+permissions:
+  contents: read
+
 jobs:
   create-release:
     runs-on: ubuntu-latest
@@ -18,11 +21,16 @@ jobs:
       contents: write
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+        with:
+          egress-policy: audit
+
       - name: Check out source code
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
           cache: 'npm'
@@ -32,7 +40,7 @@ jobs:
 
       - name: Get current tag
         id: get-tag
-        uses: devops-actions/action-get-tag@v1.0.3
+        uses: devops-actions/action-get-tag@19f393df16cb09284484fb49bf678004bf50896a # v1.0.3
         with:
           strip_v: false
 
@@ -51,18 +59,18 @@ jobs:
           echo "version=$rctag" >> "$GITHUB_OUTPUT"
 
       - name: Update package version to ${{ steps.get-version.outputs.version }}
-        uses: BellCubeDev/update-package-version-by-release-tag@v2
+        uses: BellCubeDev/update-package-version-by-release-tag@1f8aff46e596cd4f81166e8e437e5a117cab20bc # v2
         with:
           version: ${{ steps.get-version.outputs.version }}
 
       - name: Update library package version to ${{ steps.get-version.outputs.version }}
-        uses: BellCubeDev/update-package-version-by-release-tag@v2
+        uses: BellCubeDev/update-package-version-by-release-tag@1f8aff46e596cd4f81166e8e437e5a117cab20bc # v2
         with:
           version: ${{ steps.get-version.outputs.version }}
           package-json-path: './projects/log4ngx/package.json'
 
       - name: Commit updated package
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5.0.1
         with:
           commit_message: NPM package version updated to ${{ steps.get-version.outputs.version }}
           branch: main
@@ -82,7 +90,7 @@ jobs:
 
       - name: Create draft Github pre-release for ${{ steps.get-version.outputs.version }} (${{ env.IS_PRERELEASE }})
         if: env.IS_PRERELEASE == 'true'
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           name: ${{ steps.get-version.outputs.version }}
           tag_name: ${{ steps.get-version.outputs.version }}
@@ -91,7 +99,7 @@ jobs:
 
       - name: Create draft Github release for ${{ steps.get-version.outputs.version }} (!${{ env.IS_PRERELEASE }})
         if: env.IS_PRERELEASE == 'false'
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           name: ${{ steps.get-version.outputs.version }}
           tag_name: ${{ steps.get-version.outputs.version }}