From ac85c674ca25631e6ef61e34ae06c441b070f9a3 Mon Sep 17 00:00:00 2001
From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com>
Date: Mon, 15 Jan 2024 11:15:02 -0500
Subject: [PATCH] update allowed sockets

---
 .github/workflows/add-to-project.yml     |  6 +++++-
 .github/workflows/bump-version.yml       |  7 ++++++-
 .github/workflows/codeql-analysis.yml    | 10 +++++++++-
 .github/workflows/dependency-review.yml  |  2 ++
 .github/workflows/first_pull_request.yml |  5 ++++-
 .github/workflows/label_on_approval.yml  |  6 +++++-
 .github/workflows/upstream.yml           |  3 +++
 7 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
index 24f7c6b50..f0cfbc6f0 100644
--- a/.github/workflows/add-to-project.yml
+++ b/.github/workflows/add-to-project.yml
@@ -19,7 +19,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - uses: actions/add-to-project@v0.5.0
         with:
           project-url: https://github.com/orgs/Ouranosinc/projects/6
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
index 147ae1c30..1998610ae 100644
--- a/.github/workflows/bump-version.yml
+++ b/.github/workflows/bump-version.yml
@@ -36,7 +36,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
       - uses: actions/checkout@v4.1.1
         with:
           persist-credentials: false
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index e26f7942e..6b1097b66 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -39,7 +39,15 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+            uploads.github.com:443
       - name: Checkout repository
         uses: actions/checkout@v4.1.1
       # Initializes the CodeQL tools for scanning.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 19c43a455..368b283c9 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -23,7 +23,9 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+
       - name: 'Checkout Repository'
         uses: actions/checkout@v4.1.1
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v3.1.4
diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml
index f3f44a97a..73a474813 100644
--- a/.github/workflows/first_pull_request.yml
+++ b/.github/workflows/first_pull_request.yml
@@ -19,7 +19,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - uses: actions/github-script@v7.0.1
         with:
diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml
index d3eb0017e..89e5da8e6 100644
--- a/.github/workflows/label_on_approval.yml
+++ b/.github/workflows/label_on_approval.yml
@@ -28,7 +28,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+
       - name: Label Approved
         uses: actions/github-script@v7.0.1
         with:
diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml
index c9f68363f..2c6a39b10 100644
--- a/.github/workflows/upstream.yml
+++ b/.github/workflows/upstream.yml
@@ -46,11 +46,14 @@ jobs:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
+            conda.anaconda.org:443
+            dap.service.does.not.exist:443
             files.pythonhosted.org:443
             github.com:443
             objects.githubusercontent.com:443
             pypi.org:443
             raw.githubusercontent.com:443
+            repo.anaconda.com:443
       - uses: actions/checkout@v4.1.1
         with:
           fetch-depth: 0 # Fetch all history for all branches and tags.