Pinned the cherry-pick actions to a specific commit SHA and added the…

… Harden runner step PiperOrigin-RevId: 563349849 Change-Id: If71a0c197799f1483a50471a7971c5c244acc926
echoOfqi · Sep 7, 2023 · f83cc93 · f83cc93
1 parent fe53451
commit f83cc93
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/.github/workflows/cherry-picker-on-close.yml b/.github/workflows/cherry-picker-on-close.yml
@@ -12,8 +12,12 @@ jobs:
     if: github.event.sender.login == 'copybara-service[bot]'
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+        with:
+          egress-policy: audit
       - name: Run cherrypicker on close
-        uses: bazelbuild/continuous-integration/actions/cherry-picker@master
+        uses: bazelbuild/continuous-integration/actions/cherry-picker@8e5a455aae36cdcce8604ab298ace487825239b2
         with:
           triggered-on: closed
           pr-number: ${{ github.event.number }}

diff --git a/.github/workflows/cherry-picker-on-comment.yml b/.github/workflows/cherry-picker-on-comment.yml
@@ -12,8 +12,12 @@ jobs:
     if: startsWith(github.event.issue.body, 'Forked from')
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3
+        with:
+          egress-policy: audit
       - name: Run cherrypicker on comment
-        uses: bazelbuild/continuous-integration/actions/cherry-picker@master
+        uses: bazelbuild/continuous-integration/actions/cherry-picker@8e5a455aae36cdcce8604ab298ace487825239b2
         with:
           triggered-on: commented
           pr-number: ${{ github.event.issue.body }}