From aa2a0e87484974a7e997c7b2a831dd496b2b05bd Mon Sep 17 00:00:00 2001 From: Kenneth Rosario Date: Wed, 31 May 2023 16:36:49 -0700 Subject: [PATCH] chore: apply recommended egress policy (#144) --- .github/workflows/conformance.yml | 12 ++++++++++-- .github/workflows/dependency-review.yml | 8 ++++++-- .github/workflows/lint.yaml | 7 +++++-- .github/workflows/scorecard.yml | 15 +++++++++++++-- .github/workflows/unit.yml | 16 ++++++++++++++-- 5 files changed, 48 insertions(+), 10 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index dbcbf513..160a79e5 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -18,9 +18,17 @@ jobs: name: PHP ${{ matrix.php-version }} Conformance Test steps: - name: Harden Runner - uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 + proxy.golang.org:443 + repo.packagist.org:443 + storage.googleapis.com:443 - name: Checkout code uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 033fd439..a422aec6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,9 +17,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 55492ac8..4b7a2bd1 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -12,9 +12,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: PHP-CS-Fixer diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ab8aed99..978b4dba 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -25,9 +25,20 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + bestpractices.coreinfrastructure.org:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + sigstore-tuf-root.storage.googleapis.com:443 + rekor.sigstore.dev:443 - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml index 674043ec..05de0616 100644 --- a/.github/workflows/unit.yml +++ b/.github/workflows/unit.yml @@ -17,9 +17,21 @@ jobs: name: PHP ${{ matrix.php-versions }} Unit Test steps: - name: Harden Runner - uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f # v2.3.0 + uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + gcr.io:443 + github.com:443 + objects.githubusercontent.com:443 + packagist.org:443 + packagist.org:80 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + repo.packagist.org:443 + storage.googleapis.com:443 + auth.docker.io:443 - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0