Allowed endpoints (#127)

wabarc · Oct 18, 2023 · d072500 · d072500
1 parent cf27c46
commit d072500
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 4 deletions.
diff --git a/.github/workflows/reusable-fossa.yml b/.github/workflows/reusable-fossa.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -29,6 +29,7 @@ jobs:
             api.github.com:443
             raw.githubusercontent.com:443
             objects.githubusercontent.com:443
+            storage.googleapis.com:443
             proxy.golang.org:443
             sum.golang.org:443
             app.fossa.com:443

diff --git a/.github/workflows/reusable-misspell.yml b/.github/workflows/reusable-misspell.yml
@@ -22,14 +22,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443
             api.github.com:443
+            actions-results-receiver-production.githubapp.com:443
+            pipelinesghubeus2.actions.githubusercontent.com:443
 
       - name: Check out code base
         if: github.event_name == 'push'

diff --git a/.github/workflows/reusable-nancy.yml b/.github/workflows/reusable-nancy.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -25,6 +25,8 @@ jobs:
             github.com:443
             api.github.com:443
             objects.githubusercontent.com:443
+            acghubeus1.actions.githubusercontent.com:443
+            pipelinesghubeus2.actions.githubusercontent.com:443
             dl-cdn.alpinelinux.org:443
             ossindex.sonatype.org:443
             proxy.golang.org:443

diff --git a/.github/workflows/reusable-scorecards.yml b/.github/workflows/reusable-scorecards.yml
@@ -55,6 +55,7 @@ jobs:
             api.securityscorecards.dev:443
             bestpractices.coreinfrastructure.org:443
             sigstore-tuf-root.storage.googleapis.com:443
+            *.blob.core.windows.net:443
             ghcr.io:443
 
       - name: Check out code base

diff --git a/.github/workflows/reusable-shellcheck.yml b/.github/workflows/reusable-shellcheck.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -32,6 +32,7 @@ jobs:
             api.github.com:443
             raw.githubusercontent.com:443
             objects.githubusercontent.com:443
+            pipelinesghubeus2.actions.githubusercontent.com:443
 
       - name: Check out code base
         if: github.event_name == 'push'

diff --git a/.github/workflows/reusable-super-linter.yml b/.github/workflows/reusable-super-linter.yml
@@ -35,6 +35,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
             api.github.com:443
+            actions-results-receiver-production.githubapp.com:443
 
       - name: Check out code base
         if: github.event_name == 'push'