Support for specifying harden-runner egress policy

.github/workflows/reusable-add-to-project.yml

@@ -21,6 +21,10 @@ on:
         type: string
         default: 'https://github.com/orgs/wabarc/projects/6'
         description: 'URL of the project to add issues or pull requests to'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       github-token:
         required: true
@@ -47,7 +51,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-alex.yml

@@ -13,6 +13,11 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -25,7 +30,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-builder-aur.yml

@@ -19,6 +19,10 @@ on:
         type: string
         required: true
         description: 'Path to stores artifacts.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       wayback-ipfs-apikey:
         description: 'Managed IPFS credential for distribution binaries.'
@@ -35,7 +39,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-builder-deb.yml

@@ -22,6 +22,10 @@ on:
         type: string
         required: true
         description: 'Path to stores artifacts.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       wayback-ipfs-apikey:
         description: 'Managed IPFS credential for distribution binaries.'
@@ -38,7 +42,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-builder-flatpak.yml

@@ -26,6 +26,10 @@ on:
         type: string
         required: true
         description: 'Path to stores artifacts.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       wayback-ipfs-apikey:
         description: 'Managed IPFS credential for distribution binaries.'
@@ -41,7 +45,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
-          egress-policy: audit
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
 
       - name: Check out code base

.github/workflows/reusable-builder-go.yml

@@ -58,6 +58,10 @@ on:
         type: string
         required: true
         description: 'Path to stores artifacts.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       wayback-ipfs-apikey:
         description: 'Managed IPFS credential for distribution binaries.'
@@ -74,7 +78,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-builder-rpm.yml

@@ -19,6 +19,10 @@ on:
         type: string
         required: true
         description: 'Path to stores artifacts.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       wayback-ipfs-apikey:
         description: 'Managed IPFS credential for distribution binaries.'
@@ -35,7 +39,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
 
       - name: Check out code base

.github/workflows/reusable-builder-snap.yml

@@ -23,6 +23,10 @@ on:
         type: boolean
         default: false
         description: 'Whether or not to define a workflow called is releasing.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       snapcraft-token:
         description: 'The login data for the Snap Store produced with "snapcraft export-login", see: https://gist.github.com/waybackarchiver/076163653504f5fcef9bc4cc55422f5e'
@@ -40,7 +44,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-codeql.yml

@@ -13,6 +13,10 @@ on:
       config-file:
         type: string
         description: 'Configuration file of CodeQL.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -30,7 +34,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-dependency-review.yml

@@ -21,6 +21,10 @@ on:
       deny-licenses:
         type: string
         description: "Add a custom list of licenses you want to block."
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 # Declare default permissions as read only.
 permissions:
@@ -35,7 +39,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-fossa.yml

@@ -6,6 +6,11 @@ name: FOSSA
 
 on:
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       fossa-apikey:
         required: true
@@ -22,7 +27,7 @@ jobs:
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-golangci.yml

@@ -22,6 +22,10 @@ on:
         type: string
         default: 'latest'
         description: 'version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -38,7 +42,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-goreportcard.yml

@@ -13,6 +13,11 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -26,7 +31,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-license.yml

@@ -13,6 +13,11 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -26,7 +31,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443
@@ -58,7 +63,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-misspell.yml

@@ -13,6 +13,11 @@ on:
       - '**'
     types: [ opened, synchronize, reopened ]
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -25,7 +30,7 @@ jobs:
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-nancy.yml

@@ -6,6 +6,11 @@ name: Nancy
 
 on:
   workflow_call:
+    inputs:
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 permissions:
   contents: read
@@ -19,7 +24,7 @@ jobs:
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-releaser-gemfury.yml

@@ -19,6 +19,10 @@ on:
         type: string
         required: true
         description: 'Package type, supported: deb, rpm.'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     secrets:
       fury-token:
         description: 'Credential of Gemfury.'
@@ -37,7 +41,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-releaser-go.yml

@@ -15,6 +15,10 @@ on:
         type: boolean
         default: false
         description: 'Generate configuration file for "bina.egoist.dev".'
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
     outputs:
       release-note:
         description: 'Release notes formatted as markdown.'
@@ -38,7 +42,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443

.github/workflows/reusable-scorecards.yml

@@ -18,6 +18,10 @@ on:
         type: boolean
         default: false
         description: "Publish the results for public repositories to enable scorecard badges."
+      egress-policy:
+        type: string
+        default: 'block'
+        description: 'Harden-Runner egress traffic policy'
 
 # Declare default permissions as read only.
 permissions:
@@ -42,7 +46,7 @@ jobs:
         uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
         with:
           disable-sudo: true
-          egress-policy: block
+          egress-policy: ${{ inputs.egress-policy || 'block' }}
           disable-telemetry: true
           allowed-endpoints: >
             github.com:443