diff --git a/.github/workflows/reusable-add-to-project.yml b/.github/workflows/reusable-add-to-project.yml index 0fa22e3..37cab11 100644 --- a/.github/workflows/reusable-add-to-project.yml +++ b/.github/workflows/reusable-add-to-project.yml @@ -21,6 +21,10 @@ on: type: string default: 'https://github.com/orgs/wabarc/projects/6' description: 'URL of the project to add issues or pull requests to' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: github-token: required: true @@ -47,7 +51,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-alex.yml b/.github/workflows/reusable-alex.yml index 80be267..6f89242 100644 --- a/.github/workflows/reusable-alex.yml +++ b/.github/workflows/reusable-alex.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -25,7 +30,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-builder-aur.yml b/.github/workflows/reusable-builder-aur.yml index c15f6dc..710f48a 100644 --- a/.github/workflows/reusable-builder-aur.yml +++ b/.github/workflows/reusable-builder-aur.yml @@ -19,6 +19,10 @@ on: type: string required: true description: 'Path to stores artifacts.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: wayback-ipfs-apikey: description: 'Managed IPFS credential for distribution binaries.' @@ -35,7 +39,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-builder-deb.yml b/.github/workflows/reusable-builder-deb.yml index a54db72..c2e0b2c 100644 --- a/.github/workflows/reusable-builder-deb.yml +++ b/.github/workflows/reusable-builder-deb.yml @@ -22,6 +22,10 @@ on: type: string required: true description: 'Path to stores artifacts.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: wayback-ipfs-apikey: description: 'Managed IPFS credential for distribution binaries.' @@ -38,7 +42,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-builder-flatpak.yml b/.github/workflows/reusable-builder-flatpak.yml index 5ca1b5c..ee722fa 100644 --- a/.github/workflows/reusable-builder-flatpak.yml +++ b/.github/workflows/reusable-builder-flatpak.yml @@ -26,6 +26,10 @@ on: type: string required: true description: 'Path to stores artifacts.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: wayback-ipfs-apikey: description: 'Managed IPFS credential for distribution binaries.' @@ -41,7 +45,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: - egress-policy: audit + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true - name: Check out code base diff --git a/.github/workflows/reusable-builder-go.yml b/.github/workflows/reusable-builder-go.yml index 6444265..07e992b 100644 --- a/.github/workflows/reusable-builder-go.yml +++ b/.github/workflows/reusable-builder-go.yml @@ -58,6 +58,10 @@ on: type: string required: true description: 'Path to stores artifacts.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: wayback-ipfs-apikey: description: 'Managed IPFS credential for distribution binaries.' @@ -74,7 +78,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-builder-rpm.yml b/.github/workflows/reusable-builder-rpm.yml index d78a339..ff08f13 100644 --- a/.github/workflows/reusable-builder-rpm.yml +++ b/.github/workflows/reusable-builder-rpm.yml @@ -19,6 +19,10 @@ on: type: string required: true description: 'Path to stores artifacts.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: wayback-ipfs-apikey: description: 'Managed IPFS credential for distribution binaries.' @@ -35,7 +39,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: audit + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true - name: Check out code base diff --git a/.github/workflows/reusable-builder-snap.yml b/.github/workflows/reusable-builder-snap.yml index 3e8d526..b20b9be 100644 --- a/.github/workflows/reusable-builder-snap.yml +++ b/.github/workflows/reusable-builder-snap.yml @@ -23,6 +23,10 @@ on: type: boolean default: false description: 'Whether or not to define a workflow called is releasing.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: snapcraft-token: description: 'The login data for the Snap Store produced with "snapcraft export-login", see: https://gist.github.com/waybackarchiver/076163653504f5fcef9bc4cc55422f5e' @@ -40,7 +44,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-codeql.yml b/.github/workflows/reusable-codeql.yml index fe11cfa..e245813 100644 --- a/.github/workflows/reusable-codeql.yml +++ b/.github/workflows/reusable-codeql.yml @@ -13,6 +13,10 @@ on: config-file: type: string description: 'Configuration file of CodeQL.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -30,7 +34,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-dependency-review.yml b/.github/workflows/reusable-dependency-review.yml index d845290..8c7a499 100644 --- a/.github/workflows/reusable-dependency-review.yml +++ b/.github/workflows/reusable-dependency-review.yml @@ -21,6 +21,10 @@ on: deny-licenses: type: string description: "Add a custom list of licenses you want to block." + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' # Declare default permissions as read only. permissions: @@ -35,7 +39,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-fossa.yml b/.github/workflows/reusable-fossa.yml index 98496e7..c4d5364 100644 --- a/.github/workflows/reusable-fossa.yml +++ b/.github/workflows/reusable-fossa.yml @@ -6,6 +6,11 @@ name: FOSSA on: workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: fossa-apikey: required: true @@ -22,7 +27,7 @@ jobs: uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-golangci.yml b/.github/workflows/reusable-golangci.yml index 75f519e..8601266 100644 --- a/.github/workflows/reusable-golangci.yml +++ b/.github/workflows/reusable-golangci.yml @@ -22,6 +22,10 @@ on: type: string default: 'latest' description: 'version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -38,7 +42,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-goreportcard.yml b/.github/workflows/reusable-goreportcard.yml index ca0bced..e0d27e1 100644 --- a/.github/workflows/reusable-goreportcard.yml +++ b/.github/workflows/reusable-goreportcard.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -26,7 +31,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-license.yml b/.github/workflows/reusable-license.yml index 710e1fa..ffa0005 100644 --- a/.github/workflows/reusable-license.yml +++ b/.github/workflows/reusable-license.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -26,7 +31,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 @@ -59,7 +64,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-misspell.yml b/.github/workflows/reusable-misspell.yml index 3a4b73e..516d53e 100644 --- a/.github/workflows/reusable-misspell.yml +++ b/.github/workflows/reusable-misspell.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -25,7 +30,7 @@ jobs: uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-nancy.yml b/.github/workflows/reusable-nancy.yml index 8401d12..ad56fce 100644 --- a/.github/workflows/reusable-nancy.yml +++ b/.github/workflows/reusable-nancy.yml @@ -6,6 +6,11 @@ name: Nancy on: workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -19,7 +24,7 @@ jobs: uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-releaser-gemfury.yml b/.github/workflows/reusable-releaser-gemfury.yml index 98413d9..dbad10d 100644 --- a/.github/workflows/reusable-releaser-gemfury.yml +++ b/.github/workflows/reusable-releaser-gemfury.yml @@ -19,6 +19,10 @@ on: type: string required: true description: 'Package type, supported: deb, rpm.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' secrets: fury-token: description: 'Credential of Gemfury.' @@ -37,7 +41,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-releaser-go.yml b/.github/workflows/reusable-releaser-go.yml index 52a1572..bfa8f87 100644 --- a/.github/workflows/reusable-releaser-go.yml +++ b/.github/workflows/reusable-releaser-go.yml @@ -15,6 +15,10 @@ on: type: boolean default: false description: 'Generate configuration file for "bina.egoist.dev".' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' outputs: release-note: description: 'Release notes formatted as markdown.' @@ -38,7 +42,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-scorecards.yml b/.github/workflows/reusable-scorecards.yml index a84fad3..0d7fd4c 100644 --- a/.github/workflows/reusable-scorecards.yml +++ b/.github/workflows/reusable-scorecards.yml @@ -18,6 +18,10 @@ on: type: boolean default: false description: "Publish the results for public repositories to enable scorecard badges." + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' # Declare default permissions as read only. permissions: @@ -42,7 +46,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-semgrep.yml b/.github/workflows/reusable-semgrep.yml index c87bf56..e4b2095 100644 --- a/.github/workflows/reusable-semgrep.yml +++ b/.github/workflows/reusable-semgrep.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -32,7 +37,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-shellcheck.yml b/.github/workflows/reusable-shellcheck.yml index 37d0f77..dc9fbad 100644 --- a/.github/workflows/reusable-shellcheck.yml +++ b/.github/workflows/reusable-shellcheck.yml @@ -13,6 +13,11 @@ on: - '**' types: [ opened, synchronize, reopened ] workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -25,7 +30,7 @@ jobs: uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-stale.yml b/.github/workflows/reusable-stale.yml index dd1826d..e432a3f 100644 --- a/.github/workflows/reusable-stale.yml +++ b/.github/workflows/reusable-stale.yml @@ -8,6 +8,11 @@ on: schedule: - cron: "0 3 * * 6" workflow_call: + inputs: + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: issues: write @@ -22,7 +27,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-super-linter.yml b/.github/workflows/reusable-super-linter.yml index 5be1e53..c0e5d9f 100644 --- a/.github/workflows/reusable-super-linter.yml +++ b/.github/workflows/reusable-super-linter.yml @@ -18,6 +18,10 @@ on: type: boolean default: true description: 'Whether or not to use Super-Linter Slim image action.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -30,7 +34,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > github.com:443 diff --git a/.github/workflows/reusable-trivy.yml b/.github/workflows/reusable-trivy.yml index b024cf9..601c2f2 100644 --- a/.github/workflows/reusable-trivy.yml +++ b/.github/workflows/reusable-trivy.yml @@ -23,6 +23,10 @@ on: type: string default: 'CRITICAL,HIGH' description: 'Severity level.' + egress-policy: + type: string + default: 'block' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -40,7 +44,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > ghcr.io:443 @@ -98,7 +102,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: block + egress-policy: ${{ inputs.egress-policy || 'block' }} disable-telemetry: true allowed-endpoints: > ghcr.io:443 diff --git a/.github/workflows/reusable-urlcheck.yml b/.github/workflows/reusable-urlcheck.yml index b7cc16c..1d6fabc 100644 --- a/.github/workflows/reusable-urlcheck.yml +++ b/.github/workflows/reusable-urlcheck.yml @@ -22,6 +22,10 @@ on: type: number default: 30 description: "The timeout seconds for requests." + egress-policy: + type: string + default: 'audit' + description: 'Harden-Runner egress traffic policy' permissions: contents: read @@ -34,7 +38,7 @@ jobs: uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 with: disable-sudo: true - egress-policy: audit + egress-policy: ${{ inputs.egress-policy || 'audit' }} disable-telemetry: true allowed-endpoints: > github.com:443