[StepSecurity] Apply security best practices

.github/workflows/changelog-for-all.yml

@@ -18,8 +18,13 @@ jobs:
       matrix:  ${{steps.json.outputs.JSON_CONTENT}}
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Checkout"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/os
           fetch-depth: 0
@@ -52,6 +57,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "URL=${{ matrix.source }} Branch=${{ matrix.branch }} SHA=${{ matrix.sha1 }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -118,7 +128,7 @@ jobs:
               fi
 
       - name: Upload resoults
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ matrix.sha1 }}
           path: artifact
@@ -130,25 +140,30 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "merged"
-        uses: actions/upload-artifact/merge@v7
+        uses: actions/upload-artifact/merge@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           delete-merged: true
 
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: merged-artifacts
 
       - name: Display structure of downloaded files
         run: find -name "*.txt" -exec cat {} \; | sort >> $GITHUB_STEP_SUMMARY
 
-      - uses: geekyeggo/delete-artifact@v6
+      - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0
         with:
           name: merged-artifacts
           failOnError: false
 
       - name: "Checkout OS repository to get latest tag"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/os
           fetch-depth: 0
@@ -181,7 +196,7 @@ jobs:
             ## What's was changed in past week?" > body.html
             find -name "*.txt" -exec cat {} \; >> body.html
 
-      - uses: ncipollo/release-action@v1
+      - uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
         with:
           owner: 'armbian'
           repo: 'build'

.github/workflows/cleanup.yaml

@@ -15,8 +15,13 @@ jobs:
     outputs:
       matrix:  ${{steps.json.outputs.JSON_CONTENT}}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Checkout Armbian build Framework"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/build
           ref: ${{ inputs.ref || inputs.branch || 'main' }}
@@ -53,5 +58,10 @@ jobs:
     steps:
 
       # Cleaning self hosted runners
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Runner clean
-        uses: armbian/actions/runner-clean@main
+        uses: armbian/actions/runner-clean@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main

.github/workflows/complete-artifact-one-by-one.yml

@@ -382,7 +382,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-      - uses: armbian/build@v26.2.1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - uses: armbian/build@efb4c684c67cde3b2ba484a5b9e1bb1ab3d7eee6 # v26.2.1
         with:
           armbian_token:              "${{secrets.GITHUB_TOKEN}}"
           armbian_target:             "${{inputs.armbian_target}}"

.github/workflows/delete-old-releases.yml

@@ -9,6 +9,11 @@ jobs:
   clean_releases:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Delete old releases
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/download-update.yml

@@ -25,8 +25,13 @@ jobs:
     runs-on: [Linux, X64]
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Check membership"
-        uses: armbian/actions/team-check@main
+        uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main
         with:
           ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -40,6 +45,11 @@ jobs:
     runs-on: [Linux, X64]
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Get primary mirrors from database
         id: json
         run: |
@@ -66,8 +76,13 @@ jobs:
 
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Install SSH key
-        uses: shimataro/ssh-key-action@v2
+        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
         with:
           key: ${{ secrets.KEY_UPLOAD }}
           known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }}
@@ -92,6 +107,11 @@ jobs:
     needs: Sync
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Cleaning
         run: |
           [[ "${{ inputs.PURGE }}" == yes ]] && rm -rf /storage/incoming/* || true
@@ -103,23 +123,28 @@ jobs:
     runs-on: [Linux, X64]
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Run webindex update action"
-        uses: peter-evans/repository-dispatch@v4
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.DISPATCH }}
           repository: armbian/os
           event-type: "Webindex update"
 
       - name: "Run redirector update action"
-        uses: peter-evans/repository-dispatch@v4
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.DISPATCH }}
           repository: armbian/os
           event-type: "Redirector update"
 
 #
 #      - name: Repository Dispatch
-#        uses: peter-evans/repository-dispatch@v4
+#        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
 #        with:
 #          token: ${{ secrets.DISPATCH }}
 #          repository: 'armbian/os'

.github/workflows/enable-hetzner-runners.yml

@@ -56,8 +56,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+      with:
+        egress-policy: audit
+
     - name: "Check membership"
-      uses: armbian/actions/team-check@main
+      uses: armbian/actions/team-check@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main
       with:
         ORG_MEMBERS: ${{ secrets.ORG_MEMBERS }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -71,6 +76,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Delete dangling cloud runners"
         run: |
           for runner in $(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/armbian/os/actions/runners | jq -r '.runners[] | .id'); do
@@ -96,9 +106,14 @@ jobs:
         node: ${{fromJson(needs.Prepare.outputs.matrix)}}
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Enable Hetzner Virtual Machines
         if: ${{ github.repository_owner == 'Armbian' }}
-        uses: armbian/actions/hetzner@1.1
+        uses: armbian/actions/hetzner@32bfbca43f8b93262beb93a2e000c5f22e3d37c5 # 1.1
         with:
           action-type: enable
           machine-type: "${{ github.event.inputs.machine || 'cax31' }}"
@@ -116,6 +131,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Sleeping "${{ github.event.inputs.period }}"
         run: sleep "${{ github.event.inputs.period || '110m' }}"
 
@@ -126,9 +146,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Enable Hetzner Virtual Machines
         if: ${{ always() && github.repository_owner == 'Armbian' }}
-        uses: armbian/actions/hetzner@1.1
+        uses: armbian/actions/hetzner@32bfbca43f8b93262beb93a2e000c5f22e3d37c5 # 1.1
         with:
           action-type: disable
           machine-type: "${{ github.event.inputs.machine || 'cax21' }}"

.github/workflows/external.yml

@@ -14,7 +14,12 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 3
     steps:
-      - uses: styfle/cancel-workflow-action@0.13.1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - uses: styfle/cancel-workflow-action@d07a454dad7609a92316b57b23c9ccfd4f59af66 # 0.13.1
         if: ${{ github.event.schedule == '' }}
         with:
           all_but_latest: true

.github/workflows/full-distro-build-and-test.yml

@@ -17,8 +17,13 @@ jobs:
     outputs:
       matrix:  ${{steps.json.outputs.JSON_CONTENT}}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: "Checkout Armbian build Framework"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/build
           ref: ${{ inputs.ref || inputs.branch || 'main' }}
@@ -27,7 +32,7 @@ jobs:
           path: build
 
       - name: "Install SSH key"
-        uses: shimataro/ssh-key-action@v2
+        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
         with:
           key: ${{ secrets.KEY_UPLOAD }}
           known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }}
@@ -67,19 +72,24 @@ jobs:
     steps:
 
       # Cleaning self hosted runners
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
       - name: Runner clean
-        uses: armbian/actions/runner-clean@main
+        uses: armbian/actions/runner-clean@2fa6c514d602b291fdc4dac1081fe4610ee0b376 # main
 
       # Login to ghcr.io, for later uploading rootfs to ghcr.io
       - name: Docker Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: "${{ github.repository_owner }}" # GitHub username or org
           password: "${{ secrets.GITHUB_TOKEN }}"    # GitHub actions builtin token. repo has to have pkg access.
 
       - name: "Install SSH key"
-        uses: shimataro/ssh-key-action@v2
+        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
         with:
           key: ${{ secrets.KEY_UPLOAD }}
           known_hosts: ${{ secrets.KNOWN_HOSTS_ARMBIAN_UPLOAD }}
@@ -97,7 +107,7 @@ jobs:
 
       # clone the build system repo (`armbian/build`)
       - name: Checkout build repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/build
           ref: ${{ inputs.ref || inputs.branch || 'main' }}
@@ -107,7 +117,7 @@ jobs:
 
       # clone the userpatches repo (`armbian/os`)
       - name: "Checkout userpatches repo"
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: armbian/os
           fetch-depth: 0

.github/workflows/labeler.yml

@@ -12,7 +12,12 @@ jobs:
       pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
-    - uses: actions/labeler@v6
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"