From 0d6b515261e69b53700622a782172087eaa31659 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:07:51 -0400 Subject: [PATCH 01/13] Update step-security/harden-runner --- .github/workflows/code-review.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/int.yml | 2 +- .github/workflows/release.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 2315798..4ab137d 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -11,7 +11,7 @@ jobs: pull-requests: read steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 82a059c..deb1107 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,7 +37,7 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - name: Checkout repository diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index d1813ba..f7f3fbe 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 3a05f81..64ab1f2 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -15,7 +15,7 @@ jobs: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - name: Checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fec7a51..73fae8e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: contents: write runs-on: ubuntu-22.04 steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: allowed-endpoints: api.github.com:443 From 1ddce6ffdd5d5dbf38aee2147834c565a34b6e11 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:08:48 -0400 Subject: [PATCH 02/13] Update actions/checkout --- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/int.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index deb1107..32982e4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,7 +41,7 @@ jobs: with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 64ab1f2..9b6345e 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -19,7 +19,7 @@ jobs: with: egress-policy: audit - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 73fae8e..cb1c043 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: storage.googleapis.com:443 uploads.github.com:443 - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 542388e..8e100d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 with: From fa4123f911ff13fc6636791fc626d1724e5ad199 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:09:43 -0400 Subject: [PATCH 03/13] Update actions/setup-go --- .github/workflows/int.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 9b6345e..c88c805 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cb1c043..bd58cee 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,7 +27,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8e100d7..6d8eec7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,7 +19,7 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 From f4a17d4182e9a4406e163361937332d0e9f239f8 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:11:08 -0400 Subject: [PATCH 04/13] Update github/codeql-action --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/scorecard-analysis.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 32982e4..e39b798 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,7 +45,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 4bcb2ce..1feb570 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: sarif_file: results.sarif From 64cedd7e35b5f73129994562f1f131a5d4bc2538 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:15:13 -0400 Subject: [PATCH 05/13] Update codecov/codecov-action --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6d8eec7..a0b3eab 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,4 +36,4 @@ jobs: - name: Run coverage run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic - - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 + - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 From aa25f9438d1ee9a5fe6cbf654d6d3b615bdf5dc6 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:15:43 -0400 Subject: [PATCH 06/13] Update goreleaser/goreleaser-action --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd58cee..5e3d35c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,7 +44,7 @@ jobs: go mod vendor - - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 + - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 with: distribution: goreleaser version: latest From 96237cbb1cb9c2db3ba320fd3b67f6e1135b3835 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 14:16:12 -0400 Subject: [PATCH 07/13] Update aws-actions/configure-aws-credentials --- .github/workflows/int.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index c88c805..cd46b25 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -39,7 +39,7 @@ jobs: - run: sudo go test -v - run: go build -ldflags="-s -w" -o ./agent - name: Configure aws credentials - uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From d5639d8ef1dd25a713bf2fe32cc7e240f3a80377 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:34:35 -0400 Subject: [PATCH 08/13] Remove deprecated ioutil.ReadFile --- config.go | 4 ++-- dnsconfig.go | 3 +-- dnsconfig_test.go | 4 ++-- eventhandler.go | 5 ++--- procmon_linux.go | 3 +-- 5 files changed, 8 insertions(+), 11 deletions(-) diff --git a/config.go b/config.go index d63f1b3..f451ec2 100644 --- a/config.go +++ b/config.go @@ -2,7 +2,7 @@ package main import ( "encoding/json" - "io/ioutil" + "os" "strconv" "strings" @@ -50,7 +50,7 @@ type configFile struct { // init reads the config file for the agent and initializes config settings func (c *config) init(configFilePath string) error { var configFile configFile - data, err := ioutil.ReadFile(configFilePath) + data, err := os.ReadFile(configFilePath) if err != nil { return errors.Wrap(err, "failed to read config file") } diff --git a/dnsconfig.go b/dnsconfig.go index 1c48c74..0de47aa 100644 --- a/dnsconfig.go +++ b/dnsconfig.go @@ -4,7 +4,6 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "os" "os/exec" "path" @@ -30,7 +29,7 @@ const ( func updateDockerConfig(configPath string) error { - data, err := ioutil.ReadFile(configPath) + data, err := os.ReadFile(configPath) if err != nil && !errors.Is(err, os.ErrNotExist) { return errors.Wrap(err, "failed to read config file") } diff --git a/dnsconfig_test.go b/dnsconfig_test.go index fa134db..67ebdc2 100644 --- a/dnsconfig_test.go +++ b/dnsconfig_test.go @@ -54,7 +54,7 @@ func Test_updateDockerConfig(t *testing.T) { if err := updateDockerConfig(tt.args.configPath); (err != nil) != tt.wantErr { t.Errorf("updateDockerConfig() error = %v, wantErr %v", err, tt.wantErr) } - content, err := ioutil.ReadFile(tt.args.configPath) + content, err := os.ReadFile(tt.args.configPath) if err != nil { log.Fatal(err) } @@ -87,7 +87,7 @@ func Test_writeResolveConfig(t *testing.T) { if err := writeResolveConfig(tt.args.configPath); (err != nil) != tt.wantErr { t.Errorf("writeResolveConfig() error = %v, wantErr %v", err, tt.wantErr) } - content, err := ioutil.ReadFile(tt.args.configPath) + content, err := os.ReadFile(tt.args.configPath) if err != nil { log.Fatal(err) } diff --git a/eventhandler.go b/eventhandler.go index 85bb864..8ab4aaf 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -5,7 +5,6 @@ import ( "crypto/sha256" "fmt" "io" - "io/ioutil" "net" "os" "path" @@ -153,7 +152,7 @@ func printContainerInfo(pid, ppid string) { } cgroupPath := fmt.Sprintf("/proc/%s/cgroup", pid) - content, err := ioutil.ReadFile(cgroupPath) + content, err := os.ReadFile(cgroupPath) if err != nil { WriteLog(fmt.Sprintf("cgroup not found %v", err)) } else { @@ -213,7 +212,7 @@ func (eventHandler *EventHandler) HandleEvent(event *Event) { } func GetContainerIdByPid(cgroupPath string) string { - content, err := ioutil.ReadFile(cgroupPath) + content, err := os.ReadFile(cgroupPath) if err != nil { // WriteLog(fmt.Sprintf("error reading cgrouppath: %s : %v", cgroupPath, err)) return "" diff --git a/procmon_linux.go b/procmon_linux.go index 297782b..41973b8 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -6,7 +6,6 @@ package main import ( "fmt" - "io/ioutil" "os" "strings" @@ -177,7 +176,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error { func getParentProcessId(pid string) (int, error) { statPath := fmt.Sprintf("/proc/%s/stat", pid) - dataBytes, err := ioutil.ReadFile(statPath) + dataBytes, err := os.ReadFile(statPath) if err != nil { return -1, err } From 858c79ee254fa79ee2473f9336702a121df78800 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:36:32 -0400 Subject: [PATCH 09/13] Remove deprecated ioutil.TempFile --- dnsconfig_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dnsconfig_test.go b/dnsconfig_test.go index 67ebdc2..ad65b31 100644 --- a/dnsconfig_test.go +++ b/dnsconfig_test.go @@ -10,7 +10,7 @@ import ( ) func createTempFileWithContents(content string) string { - file, err := ioutil.TempFile("", "*.json") + file, err := os.CreateTemp("", "*.json") if err != nil { log.Fatal(err) } From bbf4fbd41b1f973889b3cca49938a3ea614d7295 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:37:08 -0400 Subject: [PATCH 10/13] Remove deprecated ioutil.TempDir --- dnsconfig_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dnsconfig_test.go b/dnsconfig_test.go index ad65b31..929cbbc 100644 --- a/dnsconfig_test.go +++ b/dnsconfig_test.go @@ -1,7 +1,6 @@ package main import ( - "io/ioutil" "log" "os" "path" @@ -28,7 +27,7 @@ func Test_updateDockerConfig(t *testing.T) { configPath string } tmpFileName := createTempFileWithContents("{ \"cgroup-parent\": \"/actions_job\"}") - mockDockerConfigPath, err := ioutil.TempDir("", "") + mockDockerConfigPath, err := os.MkdirTemp("", "") if err != nil { log.Fatal(err) } From c97400239e927bebe2a380f7b02b420e2d3367c0 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 17:37:31 -0400 Subject: [PATCH 11/13] Remove deprecated ioutil.ReadAll --- dnsproxy.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dnsproxy.go b/dnsproxy.go index 87d5a38..4e38057 100644 --- a/dnsproxy.go +++ b/dnsproxy.go @@ -3,7 +3,7 @@ package main import ( "encoding/json" "fmt" - "io/ioutil" + "io" "math" "net/http" "strings" @@ -141,7 +141,7 @@ func (proxy *DNSProxy) ResolveDomain(domain string) (*Answer, error) { defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("error in response from dns.google %v", err) From b82dcdfcf30e39ed291fe92b214f8fa1459566c4 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 13:51:03 -0400 Subject: [PATCH 12/13] Use env var in run step Because you should not use `${{ ... }}` in a run: step. --- .github/workflows/int.yml | 6 ++++-- .github/workflows/release.yml | 4 +++- .github/workflows/test.yml | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index cd46b25..37d261c 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -26,12 +26,14 @@ jobs: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc - + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc + - name: Create go vendor dir run: | go mod vendor diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e3d35c..8fbd6ff 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,11 +32,13 @@ jobs: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc - name: Create go vendor dir diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a0b3eab..320736d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,11 +24,13 @@ jobs: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc - name: Create go vendor dir run: | From ab4b110b84313191297dd10a19e697d9074882f6 Mon Sep 17 00:00:00 2001 From: Josh Soref <2119212+jsoref@users.noreply.github.com> Date: Wed, 16 Apr 2025 13:51:27 -0400 Subject: [PATCH 13/13] Skip jobs on forks --- .github/workflows/int.yml | 1 + .github/workflows/release.yml | 1 + .github/workflows/test.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 37d261c..b886fd9 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -11,6 +11,7 @@ env: GOPRIVATE: github.com/step-security jobs: integration-test: + if: github.event.repository.fork == false permissions: contents: read runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8fbd6ff..9b1d275 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ env: GOPRIVATE: github.com/step-security jobs: release: + if: github.event.repository.fork == false permissions: contents: write runs-on: ubuntu-22.04 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 320736d..2b24528 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,6 +12,7 @@ env: jobs: test: + if: github.event.repository.fork == false permissions: contents: read runs-on: ubuntu-latest