aerospike · stepsecurity-app · Dec 2, 2025
diff --git a/.github/workflows/acknowledge.yaml b/.github/workflows/acknowledge.yaml
@@ -28,9 +28,14 @@ jobs:
   confirm-release:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Set up JFrog credentials l
         id: setup-jfrog-cli
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
         env:
           JF_URL: ${{ inputs.jfrog-platform-url }}
           JF_PROJECT: clients

diff --git a/.github/workflows/aggregate-build.yaml b/.github/workflows/aggregate-build.yaml
@@ -29,15 +29,20 @@ jobs:
   build:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}
 
       - name: Set up JFrog credentials l
         id: setup-jfrog-cli
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
         env:
           JF_URL: ${{ inputs.jfrog-platform-url }}
           JF_PROJECT: clients

diff --git a/.github/workflows/aggregated-release-build.yaml b/.github/workflows/aggregated-release-build.yaml
@@ -24,9 +24,14 @@ jobs:
   build:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Set up JFrog credentials l
         id: setup-jfrog-cli
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
         env:
           JF_URL: ${{ inputs.jfrog-platform-url }}
           JF_PROJECT: clients

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -36,12 +36,17 @@ jobs:
   build:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
-      - uses: actions/checkout@v4       # brings versions.json into the workspace
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: ${{ vars.JAVA_PROVIDER }} # See 'Supported distributions' for available options
           java-version: ${{ inputs.java-version }}

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -31,12 +31,17 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -50,7 +55,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -63,4 +68,4 @@ jobs:
     #   ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
diff --git a/.github/workflows/promote.yaml b/.github/workflows/promote.yaml
@@ -38,6 +38,11 @@ jobs:
       artifact-version: ${{ steps.get-artifact-version.outputs.artifact-version }}
       release-notes: ${{ steps.get-release-notes.outputs.release-notes }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Debug step
         run: |
           echo "build-number: ${{ inputs.build-number }}"
@@ -48,7 +53,7 @@ jobs:
 
       # Setting up jfrog cli
       - name: Setup jfrog shell
-        uses: jfrog/setup-jfrog-cli@v4
+        uses: jfrog/setup-jfrog-cli@5b06f730cc5a6f55d78b30753f8583454b08c0aa # v4.8.1
         env:
           JF_URL: ${{ vars.JFROG_PLATFORM_URL }}
           JF_PROJECT: clients
@@ -58,7 +63,7 @@ jobs:
 
       # Needed since we are using actions which are part of the repository
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           # Fetch the whole history to prevent unrelated history errors
           fetch-depth: "0"
@@ -149,7 +154,7 @@ jobs:
 
       # Adding commit message for promotion
       - name: Add tagging message
-        uses: stefanzweifel/git-auto-commit-action@v4
+        uses: step-security/git-auto-commit-action@e2d505468267a3cb406af729d48d664de1f16393 # v6.0.2
         with:
           commit_message: "Promote to prod [skip ci]"
           commit_author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@@ -195,8 +200,13 @@ jobs:
         artifact-version: ${{ fromJson(needs.promote.outputs.artifact-version) }}
     steps:
       # Needed since we are using actions which are part of the repository
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.target-branch }}
           token: ${{ secrets.CLIENT_BOT_PAT }}
@@ -235,8 +245,13 @@ jobs:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     needs: [promote, publish-release-sonatype]
     steps: 
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ inputs.target-branch }}
           token: ${{ secrets.CLIENT_BOT_PAT }}

diff --git a/.github/workflows/pull-request-open.yaml b/.github/workflows/pull-request-open.yaml
@@ -27,7 +27,12 @@ jobs:
       input-matrix: ${{ steps.create-server-matrix.outputs.input-matrix }}
       java-version: ${{ steps.get-java-version.outputs.java-version }}
     steps:
-      - uses: actions/checkout@v4       # brings versions.json into the workspace
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
 

diff --git a/.github/workflows/release-backport-version.yaml b/.github/workflows/release-backport-version.yaml
@@ -18,8 +18,13 @@ jobs:
       java-version: ${{ steps.get-java-version.outputs.java-version }}
       release-version: ${{ steps.get-release-version.outputs.release-version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout client
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           repository: citrusleaf/release 
           token: ${{ secrets.CLIENT_BOT_PAT }}
@@ -28,7 +33,7 @@ jobs:
           ref: legacy-ci-backport
 
       - name: Checkout client
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           path: client-java
           fetch-depth: 0
@@ -41,7 +46,7 @@ jobs:
           echo java-version="$(grep '<java.version>' pom.xml | sed -e 's/<[^>]*>//g' | awk '{$1=$1};1' | sed 's/^1\.8$/8/')"  >> $GITHUB_OUTPUT
 
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: ${{ vars.JAVA_PROVIDER }} # See 'Supported distributions' for available options
           java-version: ${{ steps.get-java-version.outputs.java-version }}

diff --git a/.github/workflows/release-stage.yaml b/.github/workflows/release-stage.yaml
@@ -12,6 +12,11 @@ jobs:
   debug-job:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: debug
         run: |
           echo "${{ inputs.ref }}"
@@ -25,8 +30,13 @@ jobs:
       is-snapshot: ${{ steps.get-is-snapshot.outputs.is-snapshot }}
       release-version: ${{ steps.get-release-version.outputs.release-version }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout client
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -31,8 +31,13 @@ jobs:
   build:
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           ref: ${{ inputs.ref }}
@@ -45,7 +50,7 @@ jobs:
       # Java plugin will setup gpg but we are not using maven to deploy do JFrog.
       # - jf mvn clean install on publish does not publish POM we would like to publish
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "semeru"
           java-version: ${{ inputs.java-version }}

diff --git a/.github/workflows/test-branch-runner.yaml b/.github/workflows/test-branch-runner.yaml
@@ -16,7 +16,12 @@ jobs:
       input-matrix: ${{ steps.create-server-matrix.outputs.input-matrix }}
       java-version: ${{ steps.get-java-version.outputs.java-version }}
     steps:
-      - uses: actions/checkout@v4 # brings versions.json into the workspace
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.ref }}
       - id: create-server-matrix

diff --git a/.github/workflows/test-branch.yaml b/.github/workflows/test-branch.yaml
@@ -35,16 +35,21 @@ jobs:
     name: '${{ inputs.crypto-type }} build ${{inputs.source-branch}} using java-version ${{ inputs.java-version }} on ${{ inputs.server-type}}:${{ inputs.server-tag }}'
     runs-on: ${{ vars.BUILD_CONTAINER_DISTRO_VERSION }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
           ref: ${{ inputs.source-branch }}
 
       # Java plugin will setup gpg but we are not using maven to deploy do JFrog.
       # - jf mvn clean install on publish does not publish POM we would like to publish
       - name: Setup Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
         with:
           distribution: "semeru"
           java-version: ${{ inputs.java-version }}