diff --git a/.github/workflows/reusable-fossa.yml b/.github/workflows/reusable-fossa.yml index 236f18e..98496e7 100644 --- a/.github/workflows/reusable-fossa.yml +++ b/.github/workflows/reusable-fossa.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true egress-policy: block @@ -29,6 +29,7 @@ jobs: api.github.com:443 raw.githubusercontent.com:443 objects.githubusercontent.com:443 + storage.googleapis.com:443 proxy.golang.org:443 sum.golang.org:443 app.fossa.com:443 diff --git a/.github/workflows/reusable-misspell.yml b/.github/workflows/reusable-misspell.yml index b1f24be..3a4b73e 100644 --- a/.github/workflows/reusable-misspell.yml +++ b/.github/workflows/reusable-misspell.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true egress-policy: block @@ -30,6 +30,8 @@ jobs: allowed-endpoints: > github.com:443 api.github.com:443 + actions-results-receiver-production.githubapp.com:443 + pipelinesghubeus2.actions.githubusercontent.com:443 - name: Check out code base if: github.event_name == 'push' diff --git a/.github/workflows/reusable-nancy.yml b/.github/workflows/reusable-nancy.yml index 58d3ac1..5ab0671 100644 --- a/.github/workflows/reusable-nancy.yml +++ b/.github/workflows/reusable-nancy.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true egress-policy: block @@ -25,6 +25,8 @@ jobs: github.com:443 api.github.com:443 objects.githubusercontent.com:443 + acghubeus1.actions.githubusercontent.com:443 + pipelinesghubeus2.actions.githubusercontent.com:443 dl-cdn.alpinelinux.org:443 ossindex.sonatype.org:443 proxy.golang.org:443 diff --git a/.github/workflows/reusable-scorecards.yml b/.github/workflows/reusable-scorecards.yml index 5d6f110..a84fad3 100644 --- a/.github/workflows/reusable-scorecards.yml +++ b/.github/workflows/reusable-scorecards.yml @@ -55,6 +55,7 @@ jobs: api.securityscorecards.dev:443 bestpractices.coreinfrastructure.org:443 sigstore-tuf-root.storage.googleapis.com:443 + *.blob.core.windows.net:443 ghcr.io:443 - name: Check out code base diff --git a/.github/workflows/reusable-shellcheck.yml b/.github/workflows/reusable-shellcheck.yml index 06ae31d..37d0f77 100644 --- a/.github/workflows/reusable-shellcheck.yml +++ b/.github/workflows/reusable-shellcheck.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true egress-policy: block @@ -32,6 +32,7 @@ jobs: api.github.com:443 raw.githubusercontent.com:443 objects.githubusercontent.com:443 + pipelinesghubeus2.actions.githubusercontent.com:443 - name: Check out code base if: github.event_name == 'push' diff --git a/.github/workflows/reusable-super-linter.yml b/.github/workflows/reusable-super-linter.yml index 6cc148c..6203a0b 100644 --- a/.github/workflows/reusable-super-linter.yml +++ b/.github/workflows/reusable-super-linter.yml @@ -35,6 +35,7 @@ jobs: allowed-endpoints: > github.com:443 api.github.com:443 + actions-results-receiver-production.githubapp.com:443 - name: Check out code base if: github.event_name == 'push'