From 4f1bccd1f2ec2f04adb15d8b108957f3c316aecd Mon Sep 17 00:00:00 2001 From: Ryu <114303361+ryuapp@users.noreply.github.com> Date: Sun, 10 May 2026 16:58:10 +0900 Subject: [PATCH 1/3] ci: enforce harden-runner egress policies --- .github/workflows/ci.yaml | 35 +++++++++++++++++++++--- .github/workflows/deploy-playground.yaml | 15 ++++++++-- .github/workflows/release.yaml | 3 ++ 3 files changed, 47 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 603f74a..8c40501 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -24,7 +24,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + index.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -42,7 +46,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + index.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -69,7 +77,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + cli.codecov.io:443 + github.com:443 + index.crates.io:443 + ingest.codecov.io:443 + keybase.io:443 + o26192.ingest.us.sentry.io:443 + static.rust-lang.org:443 + storage.googleapis.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -90,7 +107,17 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + crates.io:443 + deno.com:443 + dl.deno.land:443 + github.com:443 + index.crates.io:443 + registry.npmjs.org:443 + release-assets.githubusercontent.com:443 + static.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false diff --git a/.github/workflows/deploy-playground.yaml b/.github/workflows/deploy-playground.yaml index 852fbdf..1c9e3ae 100644 --- a/.github/workflows/deploy-playground.yaml +++ b/.github/workflows/deploy-playground.yaml @@ -28,7 +28,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + crates.io:443 + deno.com:443 + github.com:443 + *.ryu.app:443 + index.crates.io:443 + release-assets.githubusercontent.com:443 + static.crates.io:443 + static.rust-lang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false @@ -61,6 +70,8 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - id: deployment uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fb0a4bb..4aa6953 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,6 +13,9 @@ jobs: contents: read id-token: write steps: + - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false From f56a60164b85232696df418083216ff1a2b7c9ed Mon Sep 17 00:00:00 2001 From: Ryu <114303361+ryuapp@users.noreply.github.com> Date: Sun, 10 May 2026 19:08:44 +0900 Subject: [PATCH 2/3] try --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8c40501..87ac3e6 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -83,7 +83,7 @@ jobs: github.com:443 index.crates.io:443 ingest.codecov.io:443 - keybase.io:443 + keybase.io/codecovsecurity/*:443 o26192.ingest.us.sentry.io:443 static.rust-lang.org:443 storage.googleapis.com:443 From a75f7b1ece5d1afbebf2ceb2fb74f10969d414a4 Mon Sep 17 00:00:00 2001 From: Ryu <114303361+ryuapp@users.noreply.github.com> Date: Sun, 10 May 2026 19:10:07 +0900 Subject: [PATCH 3/3] Revert "try" This reverts commit f56a60164b85232696df418083216ff1a2b7c9ed. --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 87ac3e6..8c40501 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -83,7 +83,7 @@ jobs: github.com:443 index.crates.io:443 ingest.codecov.io:443 - keybase.io/codecovsecurity/*:443 + keybase.io:443 o26192.ingest.us.sentry.io:443 static.rust-lang.org:443 storage.googleapis.com:443