Update allowed connections lists (#1597)

### What kind of change does this PR introduce? * Updates the lists of allowed connections for a few audited workflows * Prevents `bump-my-version` from running if templates are updated ### Does this PR introduce a breaking change? No. ### Other information: Once we perform a release, we'll be able to determine the exact lists for PyPI, TestPyPI, and mastodon, so that we can finally remove all "audited" workflows. The work will be done after this.
Ouranosinc · Jan 15, 2024 · 54dc1e5 · 54dc1e5
2 parents 0c631fb + 4d77bb3
commit 54dc1e5
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 7 deletions.
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -19,7 +19,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - uses: actions/[email protected]
         with:
           project-url: https://github.com/orgs/Ouranosinc/projects/6

diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -6,6 +6,7 @@ on:
       - master
     paths-ignore:
       - .*
+      - .github/*/*.md
       - .github/*/*.yml
       - CHANGES.rst
       - Makefile
@@ -36,7 +37,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
       - uses: actions/[email protected]
         with:
           persist-credentials: false

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,15 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+            uploads.github.com:443
       - name: Checkout repository
         uses: actions/[email protected]
       # Initializes the CodeQL tools for scanning.

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -23,7 +23,9 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+
       - name: 'Checkout Repository'
         uses: actions/[email protected]
+
       - name: 'Dependency Review'
         uses: actions/[email protected]
diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml
@@ -19,7 +19,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - uses: actions/[email protected]
         with:

diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml
@@ -28,7 +28,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Label Approved
         uses: actions/[email protected]
         with:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -46,7 +46,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
       - uses: actions/[email protected]
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/[email protected]

diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml
@@ -46,11 +46,14 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            conda.anaconda.org:443
+            dap.service.does.not.exist:443
             files.pythonhosted.org:443
             github.com:443
             objects.githubusercontent.com:443
             pypi.org:443
             raw.githubusercontent.com:443
+            repo.anaconda.com:443
       - uses: actions/[email protected]
         with:
           fetch-depth: 0 # Fetch all history for all branches and tags.

diff --git a/CHANGES.rst b/CHANGES.rst
@@ -34,7 +34,7 @@ Internal changes
 ^^^^^^^^^^^^^^^^
 * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`)
 * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`).
-* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`).
+* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`, :pull:`1597`).
 * Updated the CONTRIBUTING.rst directions to showcase the new versioning system. (:issue:`1557`, :pull:`1573`).
 * The `codespell` library is now a development dependency for the `dev` installation recipe with configurations found within `pyproject.toml`. This is also now a linting step and integrated as a `pre-commit` hook. For more information, see the `codespell documentation <https://github.com/codespell-project/codespell>`_ (:pull:`1576`).
 * Climate indicators search page now prioritizes the "official" indicators (atmos, land, seaIce and generic), virtual submodules can be added to search through checkbox option. (:issue:`1559`, :pull:`1593`).