From c806f4044da401063002f8cf3dbb8282cdbef340 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Wed, 13 Mar 2024 14:29:56 +0100 Subject: [PATCH] Update `step-security/harden-runner` configuration (#1083) --- .github/workflows/codeql.yml | 2 ++ .github/workflows/openssf-scorecard.yml | 14 ++++++++++++-- .github/workflows/pitest-update-pr.yml | 8 ++++++-- .github/workflows/run-integration-tests.yml | 11 +++++++++-- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2b609429..7882aee6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,7 +29,9 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + objects.githubusercontent.com:443 repo.maven.apache.org:443 + uploads.github.com:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 6d091574..0b757089 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -23,8 +23,18 @@ jobs: - name: Install Harden-Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - # XXX: Replace with `block` policy. - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml index fbf48422..83937e9e 100644 --- a/.github/workflows/pitest-update-pr.yml +++ b/.github/workflows/pitest-update-pr.yml @@ -22,8 +22,12 @@ jobs: - name: Install Harden-Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - # XXX: Replace with `block` policy. - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + repo.maven.apache.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml index f95f2dc3..6776c89b 100644 --- a/.github/workflows/run-integration-tests.yml +++ b/.github/workflows/run-integration-tests.yml @@ -21,8 +21,15 @@ jobs: - name: Install Harden-Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - # XXX: Replace with `block` policy. - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + checkstyle.org:443 + github.com:443 + oss.sonatype.org:443 + raw.githubusercontent.com:443 + repo.maven.apache.org:443 + repository.sonatype.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: