Audit ports (#490)

### What kind of change does this PR introduce? * Sets the security system to audit the new connection list for uploading to PyPI and TestPyPI ### Does this PR introduce a breaking change? No. ### Other information: https://peps.python.org/pep-0740/ https://github.com/marketplace/actions/pypi-publish#generating-and-uploading-attestations
Ouranosinc · Nov 4, 2024 · 7dcdacf · 7dcdacf
2 parents 8ae81fe + 09b2252
commit 7dcdacf
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 18 deletions.
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -20,15 +20,15 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            fulcio.sigstore.dev:443
-            github.com:443
-            pypi.org:443
-            tuf-repo-cdn.sigstore.dev:443
-            upload.pypi.org:443
+#          disable-sudo: true
+          egress-policy: audit
+#          allowed-endpoints: >
+#            files.pythonhosted.org:443
+#            fulcio.sigstore.dev:443
+#            github.com:443
+#            pypi.org:443
+#            tuf-repo-cdn.sigstore.dev:443
+#            upload.pypi.org:443
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python3

diff --git a/.github/workflows/tag-testpypi.yml b/.github/workflows/tag-testpypi.yml
@@ -48,15 +48,15 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            files.pythonhosted.org:443
-            fulcio.sigstore.dev:443
-            github.com:443
-            pypi.org:443
-            test.pypi.org:443
-            tuf-repo-cdn.sigstore.dev:443
+#          disable-sudo: true
+          egress-policy: audit
+#          allowed-endpoints: >
+#            files.pythonhosted.org:443
+#            fulcio.sigstore.dev:443
+#            github.com:443
+#            pypi.org:443
+#            test.pypi.org:443
+#            tuf-repo-cdn.sigstore.dev:443
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Python3