From 56ba1d2271ff21d1104943162704c662c7c9004f Mon Sep 17 00:00:00 2001
From: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Date: Sun, 27 Nov 2022 09:12:31 +0100
Subject: Workflows: Change egress-policy to block (#5485)

---
 .github/workflows/build-extra.yml     | 24 ++++++++++++++++--------
 .github/workflows/build.yml           | 12 ++++++++++--
 .github/workflows/codeql-analysis.yml |  7 ++++++-
 .github/workflows/profile-checks.yml  |  3 +++
 4 files changed, 35 insertions(+), 11 deletions(-)

(limited to '.github')

diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml
index e9ec436a4..a7745b83a 100644
--- a/.github/workflows/build-extra.yml
+++ b/.github/workflows/build-extra.yml
@@ -52,8 +52,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: install dependencies
       run: sudo apt-get install libapparmor-dev libselinux1-dev
@@ -71,8 +73,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: install clang-tools-14 and dependencies
       run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev
@@ -86,8 +90,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: install cppcheck
       run: sudo apt-get install cppcheck
@@ -101,8 +107,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          github.com:443
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: install cppcheck
       run: sudo apt-get install cppcheck
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3119f59b9..3e556b78d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -44,8 +44,16 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+        egress-policy: block
+        allowed-endpoints: >
+          azure.archive.ubuntu.com:80
+          debian.org:80
+          github.com:443
+          packages.microsoft.com:443
+          ppa.launchpadcontent.net:443
+          www.debian.org:443
+          www.debian.org:80
+          yahoo.com:1025
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: update package information
       run: sudo apt-get update
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index ad19c9530..dc3211b08 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -72,7 +72,12 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
+          uploads.github.com:443
 
     - name: Checkout repository
       uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
index f6a9336b8..a6a784762 100644
--- a/.github/workflows/profile-checks.yml
+++ b/.github/workflows/profile-checks.yml
@@ -26,7 +26,10 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
       with:
+        disable-sudo: true
         egress-policy: block
+        allowed-endpoints: >
+          github.com:443
 
     - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
     - name: sort.py
-- 
cgit v1.2.3-54-g00ecf