fix: hardening workflows test (#1554)

Author: anupsv

.github/workflows/certora-prover.yml

@@ -38,16 +38,20 @@ jobs:
       github.event_name == 'workflow_dispatch'
     runs-on: protocol-x64-16core
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: audit
+
       # Checkout the repository with submodules
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
           # Use dev branch for scheduled runs, otherwise use the branch that triggered the workflow
           ref: ${{ github.event_name == 'schedule' && 'dev' || github.ref }}
 
       # Install the Foundry toolchain
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -56,7 +60,7 @@ jobs:
         run: forge install
 
       # Run Certora compilation step only
-      - uses: Certora/certora-run-action@v1
+      - uses: Certora/certora-run-action@56c6a98e84eee5cd3a135967a9a4bc06ef6d38cc
         with:
           # List of configuration files for different contracts to verify
           configurations: |-
@@ -94,16 +98,20 @@ jobs:
       github.event_name == 'schedule' || 
       github.event_name == 'workflow_dispatch'
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: audit
+
       # Checkout the repository with submodules
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
           # Use dev branch for scheduled runs, otherwise use the branch that triggered the workflow
           ref: ${{ github.event_name == 'schedule' && 'dev' || github.ref }}
 
       # Install the Foundry toolchain.
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -112,7 +120,7 @@ jobs:
         run: forge install
 
       # Run Certora verification with the same configurations
-      - uses: Certora/certora-run-action@v1
+      - uses: Certora/certora-run-action@56c6a98e84eee5cd3a135967a9a4bc06ef6d38cc
         with:
           # List of configuration files for different contracts to verify
           configurations: |-

.github/workflows/checks.yml

@@ -16,21 +16,49 @@ jobs:
     name: Typo Linting
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: crate-ci/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            release-assets.githubusercontent.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: crate-ci/typos@717cd03663352cbd05e4d28c01366e571ff5f2ed
         with:
           config: .github/configs/typos-cli.toml
 
   go-bindings:
     name: Bindings
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            binaries.soliditylang.org:443
+            foundry.paradigm.xyz:443
+            gethstore.blob.core.windows.net:443
+            github.com:443
+            production.cloudflare.docker.com:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            release-assets.githubusercontent.com:443
+            security.ubuntu.com:80
+            objects.githubusercontent.com:443
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           fetch-depth: 0
       - name: Build and validate
         if: github.event_name == 'push'
         run: |
           make docker
           docker run -v `pwd`:/build -w /build --rm -i eigenlayer-contracts:latest bash -c "make gha"
-          if [ ! -z "$(git status --porcelain)" ]; then git diff; git status; exit 1; fi
+          if [ ! -z "$(git status --porcelain)" ]; then git diff; git status; exit 1; fi

.github/workflows/foundry-post-merge.yml

@@ -30,14 +30,24 @@ jobs:
     strategy:
       fail-fast: true
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            binaries.soliditylang.org:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            eth-mainnet.g.alchemy.com:443
+            powerful-dimensional-season.ethereum-holesky.quiknode.pro:443
+
       # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
 
       # Restore Forge cache
       - name: Cache Forge Build
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             cache/
@@ -48,7 +58,7 @@ jobs:
 
       # Install the Foundry toolchain.
       - name: "Install Foundry"
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 

.github/workflows/foundry.yml

@@ -27,14 +27,25 @@ jobs:
         suite: [Unit, Integration, Fork]
 
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            binaries.soliditylang.org:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            eth-mainnet.g.alchemy.com:443
+            powerful-dimensional-season.ethereum-holesky.quiknode.pro:443
+            objects.githubusercontent.com:443
+
       # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
 
       # Restore Forge cache
       - name: Cache Forge Build
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             cache/
@@ -45,7 +56,7 @@ jobs:
 
       # Install the Foundry toolchain.
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -83,14 +94,23 @@ jobs:
     name: Test (Storage)
     runs-on: protocol-x64-16core
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.etherscan.io:443
+            binaries.soliditylang.org:443
+            eth-mainnet.g.alchemy.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
       # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
 
       # Restore Forge cache
       - name: Cache Forge Build
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             cache/
@@ -101,7 +121,7 @@ jobs:
 
       # Install the Foundry toolchain.
       - name: "Install Foundry"
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -119,14 +139,23 @@ jobs:
     name: Coverage
     runs-on: protocol-x64-16core
     steps:
+
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            binaries.soliditylang.org:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            
       # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
 
       # Restore Foundry and Forge cache
       - name: Cache Foundry Dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             ~/.cargo
@@ -139,7 +168,7 @@ jobs:
         
       # Install the Foundry toolchain.
       - name: "Install Foundry"
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -169,7 +198,7 @@ jobs:
 
       # Upload coverage report as artifact before potential failure
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
           name: code-coverage-report
           path: report/*
@@ -208,14 +237,24 @@ jobs:
     name: Size Diff
     runs-on: protocol-x64-16core
     steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            *.blob.core.windows.net:443
+            binaries.soliditylang.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
+            
       # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
           submodules: recursive
 
       # Install the Foundry toolchain.
       - name: "Install Foundry"
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable
 
@@ -276,3 +315,4 @@ jobs:
           if [ "$has_differences" -eq 0 ]; then
             echo -e "\033[1;32m✨ No contract size changes detected ✨\033[0m"
           fi
+

.github/workflows/validate-deployment-scripts.yml

@@ -21,22 +21,21 @@ jobs:
         env: [preprod, testnet, mainnet, testnet-sepolia, testnet-hoodi, testnet-base-sepolia]
 
     steps:
-      # Check out repository with all submodules for complete codebase access.
-      - uses: actions/checkout@v4
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911
         with:
-          submodules: recursive
+          egress-policy: audit
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v3
+      # Check out repository with all submodules for complete codebase access.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          node-version: '18'
+          submodules: recursive
 
       - name: Install Zeus
         run: npm install -g @layr-labs/zeus
 
         # Restore Forge cache
       - name: Cache Forge Build
-        uses: actions/cache@v3
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684
         with:
           path: |
             cache/
@@ -47,7 +46,7 @@ jobs:
 
       # Install the Foundry toolchain.
       - name: Install Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@82dee4ba654bd2146511f85f0d013af94670c4de
         with:
           version: stable