Workflows: Change egress-policy to block (#5485)

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2022-11-27 09:12:31 +0100
committer: GitHub <noreply@github.com> 2022-11-27 09:12:31 +0100
commit: 56ba1d2271ff21d1104943162704c662c7c9004f (patch)
tree: d135f63fbe2a5d262f5eff50fbf637ce637a9159 /.github/workflows/build-extra.yml
parent: Workflows: Change egress-policy to block (diff)
download: firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.gz
firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.zst
firejail-56ba1d2271ff21d1104943162704c662c7c9004f.zip
1 files changed, 16 insertions, 8 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index e9ec436a4..a7745b83a 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -52,8 +52,10 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: install dependencies
      run: sudo apt-get install libapparmor-dev libselinux1-dev
@@ -71,8 +73,10 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: install clang-tools-14 and dependencies
      run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
@@ -86,8 +90,10 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: install cppcheck
      run: sudo apt-get install cppcheck
@@ -101,8 +107,10 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
    - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
    - name: install cppcheck
      run: sudo apt-get install cppcheck
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2022-11-27 09:12:31 +0100
committer	GitHub <noreply@github.com>	2022-11-27 09:12:31 +0100
commit	56ba1d2271ff21d1104943162704c662c7c9004f (patch)
tree	d135f63fbe2a5d262f5eff50fbf637ce637a9159 /.github/workflows/build-extra.yml
parent	Workflows: Change egress-policy to block (diff)
download	firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.gz firejail-56ba1d2271ff21d1104943162704c662c7c9004f.tar.zst firejail-56ba1d2271ff21d1104943162704c662c7c9004f.zip

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index e9ec436a4..a7745b83a 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml
@@ -52,8 +52,10 @@ jobs:
52	- name: Harden Runner	52	- name: Harden Runner
53	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5	53	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
54	with:	54	with:
55	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs	55	egress-policy: block
56		56	allowed-endpoints: >
		57	azure.archive.ubuntu.com:80
		58	github.com:443
57	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8	59	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
58	- name: install dependencies	60	- name: install dependencies
59	run: sudo apt-get install libapparmor-dev libselinux1-dev	61	run: sudo apt-get install libapparmor-dev libselinux1-dev
@@ -71,8 +73,10 @@ jobs:
71	- name: Harden Runner	73	- name: Harden Runner
72	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5	74	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
73	with:	75	with:
74	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs	76	egress-policy: block
75		77	allowed-endpoints: >
		78	azure.archive.ubuntu.com:80
		79	github.com:443
76	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8	80	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
77	- name: install clang-tools-14 and dependencies	81	- name: install clang-tools-14 and dependencies
78	run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev	82	run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
@@ -86,8 +90,10 @@ jobs:
86	- name: Harden Runner	90	- name: Harden Runner
87	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5	91	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
88	with:	92	with:
89	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs	93	egress-policy: block
90		94	allowed-endpoints: >
		95	azure.archive.ubuntu.com:80
		96	github.com:443
91	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8	97	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
92	- name: install cppcheck	98	- name: install cppcheck
93	run: sudo apt-get install cppcheck	99	run: sudo apt-get install cppcheck
@@ -101,8 +107,10 @@ jobs:
101	- name: Harden Runner	107	- name: Harden Runner
102	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5	108	uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
103	with:	109	with:
104	egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs	110	egress-policy: block
105		111	allowed-endpoints: >
		112	azure.archive.ubuntu.com:80
		113	github.com:443
106	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8	114	- uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
107	- name: install cppcheck	115	- name: install cppcheck
108	run: sudo apt-get install cppcheck	116	run: sudo apt-get install cppcheck