base · stepsecurity-app · Jun 17, 2025
diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml
@@ -17,8 +17,13 @@ jobs:
         runs-on: ubuntu-latest
         timeout-minutes: 30
         steps:
-            - uses: actions/checkout@v4
-            - uses: EmbarkStudios/cargo-deny-action@v1
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            - uses: EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3
               with:
                   command: check all
                   # Clear out arguments to not pass `--all-features` to `cargo deny`.

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
@@ -32,8 +32,13 @@ jobs:
         runs-on: ubuntu-latest
         timeout-minutes: 30
         steps:
-            - uses: actions/checkout@v4
-            - uses: dtolnay/rust-toolchain@nightly
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly
 
             - name: cargo update
               # Remove first line that always just says "Updating crates.io index"
@@ -55,7 +60,7 @@ jobs:
                   echo "EOF" >> $GITHUB_OUTPUT
 
             - name: Create Pull Request
-              uses: peter-evans/create-pull-request@v5
+              uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5.0.3
               with:
                   add-paths: ./Cargo.lock
                   commit-message: ${{ steps.msg.outputs.commit_message }}

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -15,6 +15,9 @@ env:
     # Will resolve to foundry-rs/foundry
     IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+
 jobs:
     container:
         runs-on: Linux-20.04
@@ -25,12 +28,17 @@ jobs:
             contents: read
         timeout-minutes: 120
         steps:
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
             - name: Checkout repository
               id: checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             - name: Install Docker BuildX
-              uses: docker/setup-buildx-action@v2
+              uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
               id: buildx
               with:
                   install: true
@@ -40,7 +48,7 @@ jobs:
             - name: Log into registry ${{ env.REGISTRY }}
               # Ensure this doesn't trigger on PR's
               if: github.event_name != 'pull_request'
-              uses: docker/login-action@v2
+              uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
               with:
                   registry: ${{ env.REGISTRY }}
                   username: ${{ github.actor }}
@@ -50,7 +58,7 @@ jobs:
             # https://github.com/docker/metadata-action
             - name: Extract Docker metadata
               id: meta
-              uses: docker/metadata-action@v4
+              uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
               with:
                   images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
@@ -82,7 +90,7 @@ jobs:
             # https://github.com/docker/build-push-action
             # https://github.com/docker/build-push-action/blob/master/docs/advanced/cache.md
             - name: Build and push Docker image
-              uses: docker/build-push-action@v3
+              uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
               with:
                   context: .
                   push: true

diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml
@@ -4,13 +4,21 @@ on:
     issues:
         types: [opened, transferred]
 
+permissions:
+  contents: read
+
 jobs:
     add-to-project:
         name: add issue
         runs-on: ubuntu-latest
         timeout-minutes: 30
         steps:
-            - uses: actions/add-to-project@main
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/add-to-project@0c37450c4be3b6a7582b2fb013c9ebfd9c8e9300 # main
               with:
                   project-url: https://github.com/orgs/foundry-rs/projects/2
                   github-token: ${{ secrets.GH_PROJECTS_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,7 +22,12 @@ jobs:
             release_name: ${{ steps.release_info.outputs.release_name }}
             changelog: ${{ steps.build_changelog.outputs.changelog }}
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   fetch-depth: 0
 
@@ -43,7 +48,7 @@ jobs:
             # the changelog.
             - name: Create build-specific nightly tag
               if: ${{ env.IS_NIGHTLY }}
-              uses: actions/github-script@v7
+              uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
               env:
                   TAG_NAME: ${{ steps.release_info.outputs.tag_name }}
               with:
@@ -53,7 +58,7 @@ jobs:
 
             - name: Build changelog
               id: build_changelog
-              uses: mikepenz/release-changelog-builder-action@v4
+              uses: mikepenz/release-changelog-builder-action@32e3c96f29a6532607f638797455e9e98cfc703d # v4.2.2
               with:
                   configuration: "./.github/changelog.json"
                   fromTag: ${{ env.IS_NIGHTLY && 'nightly' || '' }}
@@ -104,11 +109,16 @@ jobs:
                       platform: win32
                       arch: amd64
         steps:
-            - uses: actions/checkout@v4
-            - uses: dtolnay/rust-toolchain@stable
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
               with:
                   targets: ${{ matrix.target }}
-            - uses: Swatinem/rust-cache@v2
+            - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
               with:
                   key: ${{ matrix.target }}
                   cache-on-failure: true
@@ -199,7 +209,7 @@ jobs:
 
             # Creates the release for this specific version
             - name: Create release
-              uses: softprops/action-gh-release@v1
+              uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
               with:
                   name: ${{ needs.prepare.outputs.release_name }}
                   tag_name: ${{ needs.prepare.outputs.tag_name }}
@@ -213,7 +223,7 @@ jobs:
             # tagged `nightly` for compatibility with `foundryup`
             - name: Update nightly release
               if: ${{ env.IS_NIGHTLY }}
-              uses: softprops/action-gh-release@v1
+              uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
               with:
                   name: "Nightly"
                   tag_name: "nightly"
@@ -230,19 +240,24 @@ jobs:
         needs: release
         if: always()
         steps:
-            - uses: actions/checkout@v4
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
             # Moves the `nightly` tag to `HEAD`
             - name: Move nightly tag
               if: ${{ env.IS_NIGHTLY }}
-              uses: actions/github-script@v7
+              uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
               with:
                   script: |
                       const moveTag = require('./.github/scripts/move-tag.js')
                       await moveTag({ github, context }, 'nightly')
 
             - name: Delete old nightlies
-              uses: actions/github-script@v7
+              uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
               with:
                   script: |
                       const prunePrereleases = require('./.github/scripts/prune-prereleases.js')
@@ -255,8 +270,13 @@ jobs:
         needs: [prepare, release-docker, release, cleanup]
         if: failure()
         steps:
-            - uses: actions/checkout@v4
-            - uses: JasonEtco/create-an-issue@v2
+            - name: Harden the runner (Audit all outbound calls)
+              uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+              with:
+                egress-policy: audit
+
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+            - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   WORKFLOW_URL: |

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -20,8 +20,13 @@ jobs:
     outputs:
       test-matrix: ${{ steps.gen.outputs.test-matrix }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: "3.11"
       - name: Generate matrices
@@ -44,40 +49,45 @@ jobs:
     env:
       ETH_RPC_URL: https://eth-mainnet.alchemyapi.io/v2/C3JEvfW6VgtqZQa-Qp1E-2srEiIc02sD
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
         with:
           target: ${{ matrix.target }}
-      - uses: taiki-e/install-action@nextest
+      - uses: taiki-e/install-action@456fe09216707d696fa9e73869605958d379d8e1 # nextest
 
       # External tests dependencies
       - name: Setup Node.js
         if: contains(matrix.name, 'external')
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
       - name: Install Bun
         if: contains(matrix.name, 'external') && !contains(matrix.runner_label, 'windows')
-        uses: oven-sh/setup-bun@v1
+        uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1.2.2
         with:
           bun-version: latest
       - name: Setup Python
         if: contains(matrix.name, 'external')
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: 3.11
       - name: Install Vyper
         if: contains(matrix.name, 'external')
         run: pip install vyper
 
       - name: Forge RPC cache
-        uses: actions/cache@v3
+        uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3
         with:
           path: |
             ~/.foundry/cache
             ~/.config/.foundry/cache
           key: rpc-cache-${{ hashFiles('crates/forge/tests/rpc-cache-keyfile') }}
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           cache-on-failure: true
       - name: Setup Git config
@@ -94,9 +104,14 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           cache-on-failure: true
       - run: cargo test --workspace --doc
@@ -105,11 +120,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@clippy
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@6f332752acb41ca15498e71cf71ff8946ea847fd # clippy
         with:
           toolchain: nightly-2024-02-03
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           cache-on-failure: true
       - run: cargo clippy --workspace --all-targets --all-features
@@ -120,8 +140,13 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@nightly
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly
         with:
           toolchain: nightly-2024-02-03
           components: rustfmt
@@ -131,9 +156,14 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           cache-on-failure: true
       - name: forge fmt
@@ -148,10 +178,15 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: taiki-e/install-action@cargo-hack
-      - uses: Swatinem/rust-cache@v2
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
+      - uses: taiki-e/install-action@6feab819d637ef308b806daf1a65f92036a41d73 # cargo-hack
+      - uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2.7.8
         with:
           cache-on-failure: true
       - run: cargo hack check