harden runner: remove port from wildcard domain

wabarc · Feb 11, 2024 · 34a7244 · 34a7244
1 parent 320a765
commit 34a7244
Show file tree

Hide file tree

Showing 7 changed files with 9 additions and 16 deletions.
diff --git a/.github/workflows/reusable-builder-go.yml b/.github/workflows/reusable-builder-go.yml
@@ -86,7 +86,7 @@ jobs:
             proxy.golang.org:443
             sum.golang.org:443
             storage.googleapis.com:443
-            *.actions.githubusercontent.com:443
+            *.actions.githubusercontent.com
 
       - name: Check out code base
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'

diff --git a/.github/workflows/reusable-builder-snap.yml b/.github/workflows/reusable-builder-snap.yml
@@ -64,10 +64,8 @@ jobs:
             security.ubuntu.com:443
             cloud-images.ubuntu.com:443
             storage.snapcraftcontent.com:443
-            canonical-bos01.cdn.snapcraftcontent.com:443
-            canonical-lgw01.cdn.snapcraftcontent.com:443
-            uk.lxd.images.canonical.com:443
-            us.lxd.images.canonical.com:443
+            *.cdn.snapcraftcontent.com:443
+            *.lxd.images.canonical.com:443
             images.linuxcontainers.org:443
 
       - name: Check out code base

diff --git a/.github/workflows/reusable-golangci.yml b/.github/workflows/reusable-golangci.yml
@@ -47,9 +47,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
             api.github.com:443
-            objects.githubusercontent.com:443
-            *.actions.githubusercontent.com:443
-            raw.githubusercontent.com:443
+            *.githubusercontent.com
             storage.googleapis.com:443
             proxy.golang.org:443
             sum.golang.org:443

diff --git a/.github/workflows/reusable-misspell.yml b/.github/workflows/reusable-misspell.yml
@@ -36,7 +36,7 @@ jobs:
             github.com:443
             api.github.com:443
             actions-results-receiver-production.githubapp.com:443
-            pipelinesghubeus2.actions.githubusercontent.com:443
+            *.actions.githubusercontent.com
 
       - name: Check out code base
         if: github.event_name == 'push'

diff --git a/.github/workflows/reusable-nancy.yml b/.github/workflows/reusable-nancy.yml
@@ -29,8 +29,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
             api.github.com:443
-            objects.githubusercontent.com:443
-            *.actions.githubusercontent.com:443
+            *.githubusercontent.com
             dl-cdn.alpinelinux.org:443
             ossindex.sonatype.org:443
             proxy.golang.org:443

diff --git a/.github/workflows/reusable-super-linter.yml b/.github/workflows/reusable-super-linter.yml
@@ -40,7 +40,7 @@ jobs:
             github.com:443
             api.github.com:443
             actions-results-receiver-production.githubapp.com:443
-            *.actions.githubusercontent.com:443
+            *.actions.githubusercontent.com
 
       - name: Check out code base
         if: github.event_name == 'push'

diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml
@@ -51,8 +51,7 @@ jobs:
             github.com:443
             api.github.com:443
             uploads.github.com:443
-            pkg-containers.githubusercontent.com:443
-            *.actions.githubusercontent.com:443
+            *.actions.githubusercontent.com
 
       - name: Check out code base
         if: github.event_name == 'push'
@@ -109,8 +108,7 @@ jobs:
             github.com:443
             api.github.com:443
             uploads.github.com:443
-            pkg-containers.githubusercontent.com:443
-            *.actions.githubusercontent.com:443
+            *.actions.githubusercontent.com
 
       - name: Check out code base
         if: github.event_name == 'push'