Skip to content

Commit 8f95923

Browse files
azat-ioazat-io
committed
ci: add harden runner
1 parent 3decc82 commit 8f95923

File tree

3 files changed

+84
-0
lines changed

3 files changed

+84
-0
lines changed

.github/workflows/docs.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,20 @@ jobs:
1111
runs-on: ubuntu-latest
1212

1313
steps:
14+
- name: Harden Runner
15+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
16+
with:
17+
egress-policy: block
18+
allowed-endpoints: >
19+
api.github.com:443
20+
api.netlify.com:443
21+
api.netlifysdk.com:443
22+
dl.deno.land:443
23+
edge.netlify.com:443
24+
github.com:443
25+
registry.npmjs.org:443
26+
release-assets.githubusercontent.com:443
27+
1428
- name: Checkout
1529
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1630

.github/workflows/release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ jobs:
1818
runs-on: ubuntu-latest
1919

2020
steps:
21+
- name: Harden Runner
22+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
23+
with:
24+
egress-policy: audit
25+
2126
- name: Checkout
2227
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
2328
with:

.github/workflows/test.yml

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,16 @@ jobs:
1212
runs-on: ubuntu-latest
1313

1414
steps:
15+
- name: Harden Runner
16+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
17+
with:
18+
egress-policy: block
19+
allowed-endpoints: >
20+
api.github.com:443
21+
github.com:443
22+
registry.npmjs.org:443
23+
release-assets.githubusercontent.com:443
24+
1525
- name: Checkout
1626
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1727

@@ -29,6 +39,16 @@ jobs:
2939
runs-on: ubuntu-latest
3040

3141
steps:
42+
- name: Harden Runner
43+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
44+
with:
45+
egress-policy: block
46+
allowed-endpoints: >
47+
api.github.com:443
48+
github.com:443
49+
registry.npmjs.org:443
50+
release-assets.githubusercontent.com:443
51+
3252
- name: Checkout
3353
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3454

@@ -46,6 +66,16 @@ jobs:
4666
runs-on: ubuntu-latest
4767

4868
steps:
69+
- name: Harden Runner
70+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
71+
with:
72+
egress-policy: block
73+
allowed-endpoints: >
74+
api.github.com:443
75+
github.com:443
76+
registry.npmjs.org:443
77+
release-assets.githubusercontent.com:443
78+
4979
- name: Checkout
5080
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
5181

@@ -63,6 +93,16 @@ jobs:
6393
runs-on: ubuntu-latest
6494

6595
steps:
96+
- name: Harden Runner
97+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
98+
with:
99+
egress-policy: block
100+
allowed-endpoints: >
101+
api.github.com:443
102+
github.com:443
103+
registry.npmjs.org:443
104+
release-assets.githubusercontent.com:443
105+
66106
- name: Checkout
67107
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
68108

@@ -80,6 +120,16 @@ jobs:
80120
runs-on: ubuntu-latest
81121

82122
steps:
123+
- name: Harden Runner
124+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
125+
with:
126+
egress-policy: block
127+
allowed-endpoints: >
128+
api.github.com:443
129+
github.com:443
130+
registry.npmjs.org:443
131+
release-assets.githubusercontent.com:443
132+
83133
- name: Checkout
84134
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
85135

@@ -97,6 +147,21 @@ jobs:
97147
runs-on: ubuntu-latest
98148

99149
steps:
150+
- name: Harden Runner
151+
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
152+
with:
153+
egress-policy: block
154+
allowed-endpoints: >
155+
api.github.com:443
156+
cli.codecov.io:443
157+
github.com:443
158+
ingest.codecov.io:443
159+
keybase.io:443
160+
o26192.ingest.us.sentry.io:443
161+
registry.npmjs.org:443
162+
release-assets.githubusercontent.com:443
163+
storage.googleapis.com:443
164+
100165
- name: Checkout
101166
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
102167

0 commit comments

Comments
 (0)