add action on workflow update

awslabs · Jun 18, 2024 · 89abd3c · 89abd3c
1 parent 67f68dd
commit 89abd3c
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/.github/workflows/on-workflow-update.yml b/.github/workflows/on-workflow-update.yml
@@ -0,0 +1,23 @@
+name: Lockdown untrusted workflows
+
+on:
+  push:
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  enforce_pinned_workflows:
+    name: Harden Security
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - name: Ensure 3rd party workflows have SHA pinned
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1