diff --git a/.github/workflows/approval-comment.yaml b/.github/workflows/approval-comment.yaml index f8355869e..dcc545d8e 100644 --- a/.github/workflows/approval-comment.yaml +++ b/.github/workflows/approval-comment.yaml @@ -14,7 +14,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index 5dcb0d525..5cdf6ee06 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -21,12 +21,22 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + coveralls.io:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps with: - k8sVersion: ${{ matrix.k8sVersion }} + k8sVersion: ${{ matrix.k8sVersion }} - run: K8S_VERSION=${{ matrix.k8sVersion }} make ci-test - name: Send coverage # should only send coverage once https://docs.coveralls.io/parallel-builds diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 088bd73b4..cd8e95a0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,7 +5,7 @@ on: pull_request: workflow_dispatch: permissions: - contents: read + contents: read jobs: ci: runs-on: ubuntu-latest @@ -13,7 +13,17 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 + vuln.go.dev:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f9674a8a8..ef8ef2af5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,7 +28,20 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + dc.services.visualstudio.com:443 + github.com:443 + login.microsoftonline.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 + uploads.github.com:443 + vuln.go.dev:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/deflake.yml b/.github/workflows/deflake.yml index 54758dfe8..274573f92 100644 --- a/.github/workflows/deflake.yml +++ b/.github/workflows/deflake.yml @@ -16,7 +16,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bf2dcfbae..661110cc2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,7 +19,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml index f8638fc0b..26c47a39c 100644 --- a/.github/workflows/e2e-matrix.yaml +++ b/.github/workflows/e2e-matrix.yaml @@ -21,7 +21,7 @@ on: permissions: contents: read - + jobs: initialize-generative-params: runs-on: ubuntu-latest @@ -31,7 +31,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + # no allowed endpoints + allowed-endpoints: > - id: generate-e2e-run-hash run: | diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c2d8c52b6..b86d9e93d 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -47,7 +47,36 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + # - wildcards to allow for variation in targeted clusters + # - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffold, + # likely telemetry, likely can be avoided/blocked with/after "skaffold config set --global collect-metrics false" + allowed-endpoints: > + *.azmk8s.io:443 + *.azurecr.io:443 + *.data.mcr.microsoft.com:443 + aka.ms:443 + api.github.com:443 + app.aladdin.microsoft.com:443 + auth.docker.io:443 + azcliextensionsync.blob.core.windows.net:443 + clients3.google.com:80 + dc.services.visualstudio.com:443 + distroless.dev:443 + firebaselogging-pa.googleapis.com:443 + gist.githubusercontent.com:443 + github.com:443 + graph.microsoft.com:443 + index.docker.io:443 + login.microsoftonline.com:443 + management.azure.com:443 + mcr.microsoft.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/release-trigger.yaml b/.github/workflows/release-trigger.yaml index 5e9393669..e4430ec82 100644 --- a/.github/workflows/release-trigger.yaml +++ b/.github/workflows/release-trigger.yaml @@ -19,7 +19,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + registry.npmjs.org:443 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 diff --git a/.github/workflows/resolve-args.yaml b/.github/workflows/resolve-args.yaml index 05c594eee..1bed15aea 100644 --- a/.github/workflows/resolve-args.yaml +++ b/.github/workflows/resolve-args.yaml @@ -7,7 +7,7 @@ on: permissions: contents: read - + jobs: resolve: runs-on: ubuntu-latest @@ -18,7 +18,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-sudo: true + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - if: github.event_name == 'workflow_run' diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3a0ad315a..fe000bd34 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -33,7 +33,26 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-sudo: true + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + api.securityscorecards.dev:443 + auth.docker.io:443 + bestpractices.coreinfrastructure.org:443 + fulcio.sigstore.dev:443 + github.com:443 + index.docker.io:443 + mcr.microsoft.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + sigstore-tuf-root.storage.googleapis.com:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: "Checkout code" uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7