ci: harden CI

Signed-off-by: Richard Zak <[email protected]>
malwaredb · Dec 24, 2023 · 23d89a6 · 23d89a6
1 parent 210d6ce
commit 23d89a6
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 6 deletions.
diff --git a/.github/workflows/commisery.yml b/.github/workflows/commisery.yml
@@ -24,7 +24,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - name: Run Commisery
         uses: tomtom-international/commisery-action@33eb2d6e7dfc53e6d3d09ea20c639b8858f75021 # v2.19.3

diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
@@ -7,6 +7,9 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -8,7 +8,14 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
+          static.rust-lang.org:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain
@@ -31,7 +38,16 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            crates.io:443
+            github.com:443
+            index.crates.io:443
+            objects.githubusercontent.com:443
+            static.crates.io:443
+            static.rust-lang.org:443
 
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -52,7 +68,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            crates.io:443
+            github.com:443
+            index.crates.io:443
+            static.crates.io:443
 
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,13 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: cargo test