jbampton commented on code in PR #2384:
URL: https://github.com/apache/shiro/pull/2384#discussion_r2573119851
##########
.github/workflows/maven.yml:
##########
@@ -79,6 +84,11 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
+ - name: Harden the runner (Audit all outbound calls)
+ uses:
step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+ with:
+ egress-policy: audit
+
- name: Checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #
v5.0.0
Review Comment:
Similar https://github.com/actions/checkout/releases/tag/v6.0.0
##########
.github/workflows/dependency-review.yml:
##########
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a
Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in
the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden the runner (Audit all outbound calls)
+ uses:
step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+ with:
+ egress-policy: audit
+
+ - name: 'Checkout Repository'
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #
v4.3.1
Review Comment:
https://github.com/actions/checkout/releases/tag/v6.0.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
