Support for specifying harden-runner egress policy #435
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2020 Wayback Archiver. All rights reserved. | |
| # Use of this source code is governed by the MIT license | |
| # that can be found in the LICENSE file. | |
| name: Scorecards | |
| on: | |
| push: | |
| branches: [ $default-branch, main ] | |
| pull_request: | |
| branches: [ $default-branch, main ] | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '33 23 * * 4' | |
| workflow_call: | |
| inputs: | |
| publish-results: | |
| type: boolean | |
| default: false | |
| description: "Publish the results for public repositories to enable scorecard badges." | |
| egress-policy: | |
| type: string | |
| default: 'block' | |
| description: 'Harden-Runner egress traffic policy' | |
| # Declare default permissions as read only. | |
| permissions: | |
| contents: read | |
| jobs: | |
| scorecards: | |
| name: Security Scorecards | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name == 'pull_request' || | |
| github.ref == 'refs/heads/${{ github.event.repository.default_branch }}' | |
| permissions: | |
| # Needed to upload the results to code-scanning dashboard. | |
| security-events: write | |
| # Used to receive a badge. (Upcoming feature) | |
| id-token: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: ${{ inputs.egress-policy || 'block' }} | |
| disable-telemetry: true | |
| allowed-endpoints: > | |
| github.com:443 | |
| api.github.com:443 | |
| api.osv.dev:443 | |
| auth.docker.io:443 | |
| index.docker.io:443 | |
| fulcio.sigstore.dev:443 | |
| rekor.sigstore.dev:443 | |
| api.securityscorecards.dev:443 | |
| bestpractices.coreinfrastructure.org:443 | |
| sigstore-tuf-root.storage.googleapis.com:443 | |
| *.blob.core.windows.net:443 | |
| ghcr.io:443 | |
| - name: Check out code base | |
| if: github.event_name == 'push' || github.event_name == 'schedule' | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Check out code base | |
| if: github.event_name == 'pull_request' | |
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run scorecards analysis | |
| uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v2.1.0 | |
| with: | |
| results_file: results.sarif | |
| results_format: sarif | |
| # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if: | |
| # - you want to enable the Branch-Protection check on a *public* repository, or | |
| # - you are installing Scorecards on a *private* repository | |
| # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. | |
| # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} | |
| # Publish the results for public repositories to enable scorecard badges. For more details, see | |
| # https://github.com/ossf/scorecard-action#publishing-results. | |
| # For private repositories, `publish_results` will automatically be set to `false`, regardless | |
| # of the value entered here. | |
| publish_results: ${{ inputs.publish-results }} # true will not work with Harden Runner! | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: SARIF file | |
| path: results.sarif | |
| - name: Upload to code-scanning | |
| uses: github/codeql-action/upload-sarif@c3b6fce4ee2ca25bc1066aa3bf73962fda0e8898 # v2.1.31 | |
| with: | |
| sarif_file: results.sarif | |