Update step-security/harden-runner configuration (#1271)

While apparently the build doesn't fail without this, it is reasonable for SonarCloud analysis to access the two additional domains. While there, introduce subdomain wildcards for `sigstore.dev` and `sonarcloud.io`.
2026-03-10 08:11:25 +00:00 · 2024-08-05 09:31:25 +02:00
parent 136123f6b4
commit 1005d93b7e
2 changed files with 4 additions and 5 deletions
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -30,11 +30,9 @@ jobs:
            api.osv.dev:443
            api.scorecard.dev:443
            api.securityscorecards.dev:443
-            fulcio.sigstore.dev:443
            github.com:443
            oss-fuzz-build-logs.storage.googleapis.com:443
-            rekor.sigstore.dev:443
-            tuf-repo-cdn.sigstore.dev:443
+            *.sigstore.dev:443
            www.bestpractices.dev:443
      - name: Check out code
        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -24,14 +24,15 @@ jobs:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
+            analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
            api.adoptium.net:443
-            api.sonarcloud.io:443
+            api.nuget.org:443
            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
            github.com:443
            objects.githubusercontent.com:443
            repo.maven.apache.org:443
            sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
-            scanner.sonarcloud.io:443
+            *.sonarcloud.io:443
            sonarcloud.io:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0