Update step-security/harden-runner configuration (#1083)

2026-03-10 08:11:25 +00:00 · 2024-03-13 14:29:56 +01:00
parent 23ceb4aa6b
commit c806f4044d
4 changed files with 29 additions and 6 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,7 +29,9 @@ jobs:
          allowed-endpoints: >
            api.github.com:443
            github.com:443
+            objects.githubusercontent.com:443
            repo.maven.apache.org:443
+            uploads.github.com:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0
        with:
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -23,8 +23,18 @@ jobs:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
-          # XXX: Replace with `block` policy.
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
      - name: Check out code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
--- a/.github/workflows/pitest-update-pr.yml
+++ b/.github/workflows/pitest-update-pr.yml
@@ -22,8 +22,12 @@ jobs:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
-          # XXX: Replace with `block` policy.
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            repo.maven.apache.org:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0
        with:
--- a/.github/workflows/run-integration-tests.yml
+++ b/.github/workflows/run-integration-tests.yml
@@ -21,8 +21,15 @@ jobs:
      - name: Install Harden-Runner
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
-          # XXX: Replace with `block` policy.
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            checkstyle.org:443
+            github.com:443
+            oss.sonatype.org:443
+            raw.githubusercontent.com:443
+            repo.maven.apache.org:443
+            repository.sonatype.org:443
      - name: Check out code and set up JDK and Maven
        uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0
        with: