diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 603f74a..8c40501 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -24,7 +24,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + index.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -42,7 +46,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + index.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -69,7 +77,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + cli.codecov.io:443 + github.com:443 + index.crates.io:443 + ingest.codecov.io:443 + keybase.io:443 + o26192.ingest.us.sentry.io:443 + static.rust-lang.org:443 + storage.googleapis.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -90,7 +107,17 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + crates.io:443 + deno.com:443 + dl.deno.land:443 + github.com:443 + index.crates.io:443 + registry.npmjs.org:443 + release-assets.githubusercontent.com:443 + static.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/deploy-playground.yaml b/.github/workflows/deploy-playground.yaml index 852fbdf..1c9e3ae 100644 --- a/.github/workflows/deploy-playground.yaml +++ b/.github/workflows/deploy-playground.yaml @@ -28,7 +28,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + crates.io:443 + deno.com:443 + github.com:443 + *.ryu.app:443 + index.crates.io:443 + release-assets.githubusercontent.com:443 + static.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -61,6 +70,8 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fb0a4bb..4aa6953 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,6 +13,9 @@ jobs: contents: read id-token: write steps: + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false