diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 31 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 4 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 2 |
4 files changed, 31 insertions, 8 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 0a9628d31..a36997838 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -54,12 +54,16 @@ jobs: | |||
54 | runs-on: ubuntu-22.04 | 54 | runs-on: ubuntu-22.04 |
55 | steps: | 55 | steps: |
56 | - name: Harden Runner | 56 | - name: Harden Runner |
57 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 57 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
58 | with: | 58 | with: |
59 | egress-policy: block | 59 | egress-policy: block |
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
61 | archive.ubuntu.com:80 | ||
61 | azure.archive.ubuntu.com:80 | 62 | azure.archive.ubuntu.com:80 |
62 | github.com:443 | 63 | github.com:443 |
64 | packages.microsoft.com:443 | ||
65 | ppa.launchpadcontent.net:443 | ||
66 | security.ubuntu.com:80 | ||
63 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 67 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
64 | - name: update package information | 68 | - name: update package information |
65 | run: sudo apt-get update -qy | 69 | run: sudo apt-get update -qy |
@@ -84,12 +88,16 @@ jobs: | |||
84 | runs-on: ubuntu-22.04 | 88 | runs-on: ubuntu-22.04 |
85 | steps: | 89 | steps: |
86 | - name: Harden Runner | 90 | - name: Harden Runner |
87 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 91 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
88 | with: | 92 | with: |
89 | egress-policy: block | 93 | egress-policy: block |
90 | allowed-endpoints: > | 94 | allowed-endpoints: > |
95 | archive.ubuntu.com:80 | ||
91 | azure.archive.ubuntu.com:80 | 96 | azure.archive.ubuntu.com:80 |
92 | github.com:443 | 97 | github.com:443 |
98 | packages.microsoft.com:443 | ||
99 | ppa.launchpadcontent.net:443 | ||
100 | security.ubuntu.com:80 | ||
93 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 101 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
94 | - name: update package information | 102 | - name: update package information |
95 | run: sudo apt-get update -qy | 103 | run: sudo apt-get update -qy |
@@ -110,12 +118,16 @@ jobs: | |||
110 | runs-on: ubuntu-22.04 | 118 | runs-on: ubuntu-22.04 |
111 | steps: | 119 | steps: |
112 | - name: Harden Runner | 120 | - name: Harden Runner |
113 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 121 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
114 | with: | 122 | with: |
115 | egress-policy: block | 123 | egress-policy: block |
116 | allowed-endpoints: > | 124 | allowed-endpoints: > |
125 | archive.ubuntu.com:80 | ||
117 | azure.archive.ubuntu.com:80 | 126 | azure.archive.ubuntu.com:80 |
118 | github.com:443 | 127 | github.com:443 |
128 | packages.microsoft.com:443 | ||
129 | ppa.launchpadcontent.net:443 | ||
130 | security.ubuntu.com:80 | ||
119 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 131 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
120 | - name: update package information | 132 | - name: update package information |
121 | run: sudo apt-get update -qy | 133 | run: sudo apt-get update -qy |
@@ -132,12 +144,17 @@ jobs: | |||
132 | runs-on: ubuntu-20.04 | 144 | runs-on: ubuntu-20.04 |
133 | steps: | 145 | steps: |
134 | - name: Harden Runner | 146 | - name: Harden Runner |
135 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 147 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
136 | with: | 148 | with: |
137 | egress-policy: block | 149 | egress-policy: block |
138 | allowed-endpoints: > | 150 | allowed-endpoints: > |
151 | archive.ubuntu.com:80 | ||
139 | azure.archive.ubuntu.com:80 | 152 | azure.archive.ubuntu.com:80 |
140 | github.com:443 | 153 | github.com:443 |
154 | packages.microsoft.com:443 | ||
155 | ppa.launchpad.net:80 | ||
156 | ppa.launchpadcontent.net:443 | ||
157 | security.ubuntu.com:80 | ||
141 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 158 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
142 | - name: update package information | 159 | - name: update package information |
143 | run: sudo apt-get update -qy | 160 | run: sudo apt-get update -qy |
@@ -150,12 +167,16 @@ jobs: | |||
150 | runs-on: ubuntu-22.04 | 167 | runs-on: ubuntu-22.04 |
151 | steps: | 168 | steps: |
152 | - name: Harden Runner | 169 | - name: Harden Runner |
153 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 170 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
154 | with: | 171 | with: |
155 | egress-policy: block | 172 | egress-policy: block |
156 | allowed-endpoints: > | 173 | allowed-endpoints: > |
174 | archive.ubuntu.com:80 | ||
157 | azure.archive.ubuntu.com:80 | 175 | azure.archive.ubuntu.com:80 |
158 | github.com:443 | 176 | github.com:443 |
177 | packages.microsoft.com:443 | ||
178 | ppa.launchpadcontent.net:443 | ||
179 | security.ubuntu.com:80 | ||
159 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 | 180 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
160 | - name: update package information | 181 | - name: update package information |
161 | run: sudo apt-get update -qy | 182 | run: sudo apt-get update -qy |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a53260e64..cb2c15759 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -46,7 +46,7 @@ jobs: | |||
46 | SHELL: /bin/bash | 46 | SHELL: /bin/bash |
47 | steps: | 47 | steps: |
48 | - name: Harden Runner | 48 | - name: Harden Runner |
49 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 49 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
50 | with: | 50 | with: |
51 | egress-policy: block | 51 | egress-policy: block |
52 | allowed-endpoints: > | 52 | allowed-endpoints: > |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4b9aaa7d6..0f9c0f740 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -75,14 +75,16 @@ jobs: | |||
75 | 75 | ||
76 | steps: | 76 | steps: |
77 | - name: Harden Runner | 77 | - name: Harden Runner |
78 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 78 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
79 | with: | 79 | with: |
80 | disable-sudo: true | 80 | disable-sudo: true |
81 | egress-policy: block | 81 | egress-policy: block |
82 | allowed-endpoints: > | 82 | allowed-endpoints: > |
83 | api.github.com:443 | 83 | api.github.com:443 |
84 | files.pythonhosted.org:443 | ||
84 | github.com:443 | 85 | github.com:443 |
85 | objects.githubusercontent.com:443 | 86 | objects.githubusercontent.com:443 |
87 | pypi.org:443 | ||
86 | uploads.github.com:443 | 88 | uploads.github.com:443 |
87 | 89 | ||
88 | - name: Checkout repository | 90 | - name: Checkout repository |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 8d4e5ba28..c44012768 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -24,7 +24,7 @@ jobs: | |||
24 | runs-on: ubuntu-latest | 24 | runs-on: ubuntu-latest |
25 | steps: | 25 | steps: |
26 | - name: Harden Runner | 26 | - name: Harden Runner |
27 | uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 | 27 | uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 |
28 | with: | 28 | with: |
29 | disable-sudo: true | 29 | disable-sudo: true |
30 | egress-policy: block | 30 | egress-policy: block |