Skip to content

Commit 2d93712

Browse files
author
Kenneth Rosario
authored
chore: apply recommended harden runner egress policy (#535)
1 parent dd97f7e commit 2d93712

File tree

5 files changed

+63
-31
lines changed

5 files changed

+63
-31
lines changed

.github/workflows/conformance.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,18 @@ jobs:
1414
node-version: [10, 12, 14, 16, 18, 20]
1515
steps:
1616
- name: Harden Runner
17-
uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
17+
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
1818
with:
19-
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
19+
disable-sudo: true
20+
egress-policy: block
21+
allowed-endpoints: >
22+
api.github.com:443
23+
github.com:443
24+
objects.githubusercontent.com:443
25+
proxy.golang.org:443
26+
registry.npmjs.org:443
27+
storage.googleapis.com:443
28+
sum.golang.org:443
2029
2130
- name: Checkout code
2231
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2

.github/workflows/docs.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,13 @@ jobs:
1212
runs-on: ubuntu-latest
1313
steps:
1414
- name: Harden Runner
15-
uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
15+
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
1616
with:
17-
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
17+
disable-sudo: true
18+
egress-policy: block
19+
allowed-endpoints: >
20+
github.com:443
21+
registry.npmjs.org:443
1822
1923
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
2024
- name: Setup Node.js

.github/workflows/publish.yml

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,14 @@ jobs:
1111
runs-on: ubuntu-latest
1212
steps:
1313
- name: Harden Runner
14-
uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
14+
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
1515
with:
16-
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
16+
disable-sudo: true
17+
egress-policy: block
18+
allowed-endpoints: >
19+
github.com:443
20+
registry.npmjs.org:443
21+
wombat-dressing-room.appspot.com:443
1722
1823
- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
1924
- uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
@@ -28,5 +33,4 @@ jobs:
2833
- id: publish
2934
env:
3035
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
31-
run:
32-
npm publish
36+
run: npm publish

.github/workflows/scorecard.yml

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ on:
88
schedule:
99
- cron: '0 */12 * * *'
1010
push:
11-
branches: [ "master" ]
11+
branches: ['master']
1212

1313
# Declare default permissions as read only.
1414
permissions: read-all
@@ -25,16 +25,25 @@ jobs:
2525

2626
steps:
2727
- name: Harden Runner
28-
uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
28+
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
2929
with:
30-
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
30+
disable-sudo: true
31+
egress-policy: block
32+
allowed-endpoints: >
33+
api.github.com:443
34+
api.osv.dev:443
35+
bestpractices.coreinfrastructure.org:443
36+
fulcio.sigstore.dev:443
37+
github.com:443
38+
oss-fuzz-build-logs.storage.googleapis.com:443
39+
sigstore-tuf-root.storage.googleapis.com:443
3140
32-
- name: "Checkout code"
41+
- name: 'Checkout code'
3342
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
3443
with:
3544
persist-credentials: false
3645

37-
- name: "Run analysis"
46+
- name: 'Run analysis'
3847
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3
3948
with:
4049
results_file: results.sarif
@@ -46,7 +55,7 @@ jobs:
4655
publish_results: true
4756

4857
# Upload the results to GitHub's code scanning dashboard.
49-
- name: "Upload to code-scanning"
58+
- name: 'Upload to code-scanning'
5059
uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a # v2.3.2
5160
with:
5261
sarif_file: results.sarif

.github/workflows/unit.yml

Lines changed: 23 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Node.js Unit CI
22
on:
33
push:
44
branches:
5-
- master
5+
- master
66
pull_request:
77
permissions:
88
contents: read
@@ -15,20 +15,26 @@ jobs:
1515
platform: [ubuntu-latest, macos-latest, windows-latest]
1616
runs-on: ${{ matrix.platform }}
1717
steps:
18-
- name: Harden Runner
19-
uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1
20-
with:
21-
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
18+
- name: Harden Runner
19+
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
20+
with:
21+
disable-sudo: true
22+
egress-policy: block
23+
allowed-endpoints: >
24+
api.github.com:443
25+
github.com:443
26+
objects.githubusercontent.com:443
27+
registry.npmjs.org:443
2228
23-
- name: Checkout
24-
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
25-
- name: Use Node.js ${{ matrix.node-version }}
26-
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
27-
with:
28-
node-version: ${{ matrix.node-version }}
29-
- name: Install dependencies
30-
run: npm install
31-
- name: Build TypeScript project
32-
run: npm run build --if-present
33-
- name: Test
34-
run: npm test
29+
- name: Checkout
30+
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
31+
- name: Use Node.js ${{ matrix.node-version }}
32+
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
33+
with:
34+
node-version: ${{ matrix.node-version }}
35+
- name: Install dependencies
36+
run: npm install
37+
- name: Build TypeScript project
38+
run: npm run build --if-present
39+
- name: Test
40+
run: npm test

0 commit comments

Comments
 (0)