From 8a8290587aa9389ffe9fdb6fb7d9805083444f0a Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Sun, 19 May 2024 14:14:20 +0200 Subject: [PATCH] Update `step-security/harden-runner` configuration (#1177) This resolves recent build failures by ensuring that JDKs can be downloaded. --- .github/workflows/build.yml | 2 ++ .github/workflows/codeql.yml | 1 + .github/workflows/pitest-analyze-pr.yml | 2 ++ .github/workflows/pitest-update-pr.yml | 2 ++ .github/workflows/run-integration-tests.yml | 2 ++ .github/workflows/sonarcloud.yml | 2 ++ 6 files changed, 11 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d74f566d..a7a5feda 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,8 +31,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 github.com:443 jitpack.io:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 # We run the build twice for each supported JDK: once against the # original Error Prone release, using only Error Prone checks available diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0eb19442..81e6a9de 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,6 +27,7 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 api.github.com:443 github.com:443 objects.githubusercontent.com:443 diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml index 28336ce0..5e3f5199 100644 --- a/.github/workflows/pitest-analyze-pr.yml +++ b/.github/workflows/pitest-analyze-pr.yml @@ -17,7 +17,9 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 github.com:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml index a64393b8..fc34a859 100644 --- a/.github/workflows/pitest-update-pr.yml +++ b/.github/workflows/pitest-update-pr.yml @@ -25,8 +25,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 api.github.com:443 github.com:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml index 31c7b555..7434f460 100644 --- a/.github/workflows/run-integration-tests.yml +++ b/.github/workflows/run-integration-tests.yml @@ -24,8 +24,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 checkstyle.org:443 github.com:443 + objects.githubusercontent.com:443 oss.sonatype.org:443 raw.githubusercontent.com:443 repo.maven.apache.org:443 diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 152d8b77..42eacd7f 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -24,8 +24,10 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + api.adoptium.net:443 ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 github.com:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 scanner.sonarcloud.io:443