hashgraph · san-est · Oct 18, 2024 · Oct 21, 2024 · Oct 21, 2024
@@ -43,7 +43,7 @@ jobs:
     runs-on: smart-contracts-linux-large
     timeout-minutes: 50
     permissions:
-      contents: write
+      contents: read
       actions: read
       # issues: read
     env:

@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: smart-contracts-linux-medium

@@ -7,6 +7,9 @@ on:
     branches: [main, release/**]
     tags: [v*]
 
+permissions:
+  contents: read
+
 jobs:
   clone-and-build-execution-apis:
     runs-on: smart-contracts-linux-medium

@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   setup-local-hedera:
     name: Dapp Tests

@@ -10,6 +10,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   dev-tool-workflow:
     runs-on: smart-contracts-linux-medium

@@ -28,6 +28,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

@@ -7,6 +7,9 @@ on:
 env:
   OWNER: hashgraph
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: smart-contracts-linux-medium

@@ -11,6 +11,9 @@ concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   setup-local-hedera:
     name: Postman Endpoint Tests

@@ -6,9 +6,14 @@ on:
 
 jobs:
   check_pr:
-    runs-on: ubuntu-latest
+    runs-on: smart-contracts-linux-medium
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 #v2.7.0
 

@@ -13,6 +13,9 @@ on:
         required: true
         default: 'v0.40.0'    
 
+permissions:
+  contents: read
+
 jobs:
   release-acceptance-test:
     runs-on: smart-contracts-linux-medium
@@ -26,21 +29,24 @@ jobs:
           egress-policy: audit
 
       - name: Authenticate
+        env:
+          HEDERA_PORTAL_USER: ${{ secrets.HEDERA_PORTAL_USER }}
+          HEDERA_PORTAL_PASSWORD: ${{ secrets.HEDERA_PORTAL_PASSWORD }}
         run: |
-            RESPONSE=$(jq --null-input -r --arg USER "${{ secrets.HEDERA_PORTAL_USER }}" --arg PASS "${{ secrets.HEDERA_PORTAL_PASSWORD }}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session)
-            echo "::add-mask::$RESPONSE"
-            echo "The response was: $RESPONSE"
-            ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)"
-            echo "::add-mask::$ACCOUNTS_JSON"
-            TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum')
-            echo "The testnet account is: $TESTNET_ACCOUNT"
-            PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey')
-            echo "The publicKey is: $PUBLIC_KEY"
-            PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey')
-            echo "::add-mask::$PRIVATE_KEY"
-            echo "The privateKey is: $PRIVATE_KEY"
-            echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV
-            echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV
+          RESPONSE=$(jq --null-input -r --arg USER "${HEDERA_PORTAL_USER}" --arg PASS "${HEDERA_PORTAL_PASSWORD}" '{"email": $USER, "password": $PASS}' | curl -sSL -c /tmp/cookiejar.bin --data @- -X POST -H "Accept: application/json" -H "Content-Type: application/json" https://portal.hedera.com/api/session)
+          echo "::add-mask::$RESPONSE"
+          echo "The response was: $RESPONSE"
+          ACCOUNTS_JSON="$(curl -sSL -b /tmp/cookiejar.bin -H "Accept: application/json" https://portal.hedera.com/api/account)"
+          echo "::add-mask::$ACCOUNTS_JSON"
+          TESTNET_ACCOUNT=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .accountNum')
+          echo "The testnet account is: $TESTNET_ACCOUNT"
+          PUBLIC_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .publicKey')
+          echo "The publicKey is: $PUBLIC_KEY"
+          PRIVATE_KEY=$(echo $ACCOUNTS_JSON | jq -r '.accounts[] | select(.network=="testnet") | .privateKey')
+          echo "::add-mask::$PRIVATE_KEY"
+          echo "The privateKey is: $PRIVATE_KEY"
+          echo "OPERATOR_ID_MAIN=0.0.${TESTNET_ACCOUNT}" >> $GITHUB_ENV
+          echo "OPERATOR_KEY_MAIN=${PRIVATE_KEY}" >> $GITHUB_ENV
 
       - name: Setup node
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2

@@ -9,6 +9,9 @@ env:
   OWNER: hashgraph
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: smart-contracts-linux-medium

@@ -9,6 +9,9 @@ env:
   PACKAGE_NAME: hedera-json-rpc-relay
   REGISTRY: ghcr.io
 
+permissions:
+  contents: read
+
 jobs:
   docker-image-publish:
     runs-on: smart-contracts-linux-medium

@@ -10,6 +10,9 @@ on:
 concurrency:
   group: pr-checks-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
   subgraph-workflow: