From 03a1f471c468df5ffd62d94b18571af3d631cdbd Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Mon, 10 Apr 2023 06:00:25 -0300
Subject: ci: fix codeql unable to download its own bundle

Due to step-security/harden-runner blocking access to
objects.githubusercontent.com.

Log from a recent run of CodeQL[1] [2]:

    ##[group]Setup CodeQL tools
    Did not find CodeQL tools version 2.12.6 in the toolcache.
    Downloading CodeQL tools from https://github.com/github/codeql-action/releases/download/codeql-bundle-20230403/codeql-bundle-linux64.tar.gz. This may take a while.
    connect ECONNREFUSED 54.185.253.63:443
    Waiting 13 seconds before trying again
    connect ECONNREFUSED 54.185.253.63:443
    Waiting 12 seconds before trying again
    ##[error]connect ECONNREFUSED 54.185.253.63:443
    ##[error]Unable to download and extract CodeQL CLI
    Post job cleanup.
    [...]
    Mon, 10 Apr 2023 07:20:18 GMT:endpoint called ip address:port 140.82.112.4:443, domain: github.com.
    Mon, 10 Apr 2023 07:20:20 GMT:endpoint called ip address:port 140.82.112.6:443, domain: api.github.com.
    Mon, 10 Apr 2023 07:20:23 GMT:domain not allowed: objects.githubusercontent.com.
    Mon, 10 Apr 2023 07:20:23 GMT:ip address dropped: 54.185.253.63
    Mon, 10 Apr 2023 07:20:23 GMT:endpoint called ip address:port 140.82.112.4:443, domain: github.com.
    Mon, 10 Apr 2023 07:20:23 GMT:endpoint called ip address:port 54.185.253.63:443, domain: objects.githubusercontent.com.
    Mon, 10 Apr 2023 07:20:35 GMT:domain not allowed: api.snapcraft.io.

[1] https://github.com/netblue30/firejail/pull/5781
[2] https://github.com/netblue30/firejail/actions/runs/4655304231/jobs/8238131624
---
 .github/workflows/codeql-analysis.yml | 1 +
 1 file changed, 1 insertion(+)

(limited to '.github')

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 3a112fdc2..aaa21053f 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -81,6 +81,7 @@ jobs:
         allowed-endpoints: >
           api.github.com:443
           github.com:443
+          objects.githubusercontent.com:443
           uploads.github.com:443
 
     - name: Checkout repository
-- 
cgit v1.2.3-54-g00ecf