Skip to content

Commit

Permalink
Support for specifying harden-runner egress policy (#131)
Browse files Browse the repository at this point in the history
* Specify harden-runner egress policy supported

* Specify harden-runner egress policy supported

* Specify harden-runner egress policy supported

* Update reusable-urlcheck.yml
  • Loading branch information
waybackarchiver authored Oct 21, 2023
1 parent 16a647c commit d192ac0
Show file tree
Hide file tree
Showing 25 changed files with 136 additions and 27 deletions.
6 changes: 5 additions & 1 deletion .github/workflows/reusable-add-to-project.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ on:
type: string
default: 'https://github.com/orgs/wabarc/projects/6'
description: 'URL of the project to add issues or pull requests to'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
github-token:
required: true
Expand All @@ -47,7 +51,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/reusable-alex.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ on:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -25,7 +30,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-aur.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
type: string
required: true
description: 'Path to stores artifacts.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
wayback-ipfs-apikey:
description: 'Managed IPFS credential for distribution binaries.'
Expand All @@ -35,7 +39,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-deb.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ on:
type: string
required: true
description: 'Path to stores artifacts.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
wayback-ipfs-apikey:
description: 'Managed IPFS credential for distribution binaries.'
Expand All @@ -38,7 +42,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-flatpak.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@ on:
type: string
required: true
description: 'Path to stores artifacts.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
wayback-ipfs-apikey:
description: 'Managed IPFS credential for distribution binaries.'
Expand All @@ -41,7 +45,7 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: audit
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true

- name: Check out code base
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@ on:
type: string
required: true
description: 'Path to stores artifacts.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
wayback-ipfs-apikey:
description: 'Managed IPFS credential for distribution binaries.'
Expand All @@ -74,7 +78,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-rpm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
type: string
required: true
description: 'Path to stores artifacts.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
wayback-ipfs-apikey:
description: 'Managed IPFS credential for distribution binaries.'
Expand All @@ -35,7 +39,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: audit
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true

- name: Check out code base
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-builder-snap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ on:
type: boolean
default: false
description: 'Whether or not to define a workflow called is releasing.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
snapcraft-token:
description: 'The login data for the Snap Store produced with "snapcraft export-login", see: https://gist.github.com/waybackarchiver/076163653504f5fcef9bc4cc55422f5e'
Expand All @@ -40,7 +44,7 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ on:
config-file:
type: string
description: 'Configuration file of CodeQL.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -30,7 +34,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ on:
deny-licenses:
type: string
description: "Add a custom list of licenses you want to block."
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

# Declare default permissions as read only.
permissions:
Expand All @@ -35,7 +39,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/reusable-fossa.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ name: FOSSA

on:
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
fossa-apikey:
required: true
Expand All @@ -22,7 +27,7 @@ jobs:
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ on:
type: string
default: 'latest'
description: 'version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -38,7 +42,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/reusable-goreportcard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ on:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -26,7 +31,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/reusable-license.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ on:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -26,7 +31,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down Expand Up @@ -59,7 +64,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/reusable-misspell.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@ on:
- '**'
types: [ opened, synchronize, reopened ]
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -25,7 +30,7 @@ jobs:
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/reusable-nancy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ name: Nancy

on:
workflow_call:
inputs:
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

permissions:
contents: read
Expand All @@ -19,7 +24,7 @@ jobs:
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-releaser-gemfury.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ on:
type: string
required: true
description: 'Package type, supported: deb, rpm.'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
secrets:
fury-token:
description: 'Credential of Gemfury.'
Expand All @@ -37,7 +41,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-releaser-go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ on:
type: boolean
default: false
description: 'Generate configuration file for "bina.egoist.dev".'
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'
outputs:
release-note:
description: 'Release notes formatted as markdown.'
Expand All @@ -38,7 +42,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/reusable-scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
type: boolean
default: false
description: "Publish the results for public repositories to enable scorecard badges."
egress-policy:
type: string
default: 'block'
description: 'Harden-Runner egress traffic policy'

# Declare default permissions as read only.
permissions:
Expand All @@ -42,7 +46,7 @@ jobs:
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
with:
disable-sudo: true
egress-policy: block
egress-policy: ${{ inputs.egress-policy || 'block' }}
disable-telemetry: true
allowed-endpoints: >
github.com:443
Expand Down
Loading

0 comments on commit d192ac0

Please sign in to comment.