From 0bd5c82ca8d6844661c158f78c8b773246fe6448 Mon Sep 17 00:00:00 2001
From: "Louise K. Schmidtgen" <louise.schmidtgen@canonical.com>
Date: Wed, 22 May 2024 11:40:06 +0200
Subject: [PATCH] Harden CI follow up (#437)

* more CI hardening

* cleanup testing bits
---
 .github/workflows/strict-integration.yaml |  7 +++++++
 .github/workflows/strict.yaml             |  8 ++++++++
 .github/workflows/update-components.yaml  | 10 ++++++++++
 3 files changed, 25 insertions(+)

diff --git a/.github/workflows/strict-integration.yaml b/.github/workflows/strict-integration.yaml
index 183ad962a..b424e6076 100644
--- a/.github/workflows/strict-integration.yaml
+++ b/.github/workflows/strict-integration.yaml
@@ -8,11 +8,18 @@ on:
       - 'autoupdate/sync/**'
   pull_request:
 
+permissions:
+  contents: read
+    
 jobs:
   build:
     name: Build
     runs-on: ubuntu-20.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Install lxd
diff --git a/.github/workflows/strict.yaml b/.github/workflows/strict.yaml
index 665f7d956..b112508d6 100644
--- a/.github/workflows/strict.yaml
+++ b/.github/workflows/strict.yaml
@@ -16,6 +16,10 @@ jobs:
     outputs:
       strict: ${{ steps.determine.outputs.strict }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Determine Strict branch
         id: determine
         env:
@@ -37,6 +41,10 @@ jobs:
     needs: [ prepare ]
     if: ${{ needs.prepare.outputs.strict }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Sync ${{ github.ref }} to ${{ needs.prepare.outputs.strict }}
         uses: actions/checkout@v4
         with:
diff --git a/.github/workflows/update-components.yaml b/.github/workflows/update-components.yaml
index dc322947c..e46bd55df 100644
--- a/.github/workflows/update-components.yaml
+++ b/.github/workflows/update-components.yaml
@@ -5,8 +5,14 @@ on:
   schedule:
     - cron: "0 10 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write # for peter-evans/create-pull-request to create branch
+      pull-requests: write # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -18,6 +24,10 @@ jobs:
           - release-1.30
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
         with: