Skip to content

chore(ci): enable harden-runner block mode for all workflows #569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
arn0ld87 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(ci): enable harden-runner block mode for all workflows #569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down
15 changes: 13 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- name: Checkout
uses: actions/checkout@v6
Expand Down Expand Up @@ -184,7 +190,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout
uses: actions/checkout@v6
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
uploads.github.com:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down
47 changes: 41 additions & 6 deletions .github/workflows/contract-gates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand Down Expand Up @@ -46,7 +52,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand All @@ -65,7 +77,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand Down Expand Up @@ -100,7 +118,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
Expand All @@ -121,7 +144,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand All @@ -148,7 +177,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- uses: actions/checkout@v6
- uses: actions/setup-python@v6
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/cve-monitor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443

- name: Checkout
uses: actions/checkout@v6
Expand Down
6 changes: 5 additions & 1 deletion .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down
26 changes: 23 additions & 3 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down Expand Up @@ -144,7 +151,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

Expand Down Expand Up @@ -277,7 +288,16 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down
32 changes: 28 additions & 4 deletions .github/workflows/e2e-smokes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
playwright.azureedge.net:443
registry.npmjs.org:443

- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
Expand Down Expand Up @@ -87,7 +93,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
playwright.azureedge.net:443
registry.npmjs.org:443

- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
Expand Down Expand Up @@ -143,7 +155,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
playwright.azureedge.net:443
registry.npmjs.org:443

- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
Expand Down Expand Up @@ -191,7 +209,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
playwright.azureedge.net:443
registry.npmjs.org:443

- uses: actions/checkout@v6
- uses: oven-sh/setup-bun@v2
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.securityscorecards.dev:443
github.com:443
objects.githubusercontent.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
proxy.golang.org:443
www.bestpractices.dev:443

- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Expand Down
70 changes: 70 additions & 0 deletions docs/ci-egress-allowlist.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
# CI Egress Allowlist
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This documentation describes the egress allowlist for workflows in block mode, but the actual workflow configuration files (e.g., .github/workflows/ci.yml, etc.) are not included in this pull request. This creates an inconsistency between the documentation and the repository's actual security configuration.

References
  1. Ensure that all CI/CD workflow files and security configurations (e.g., Scorecard, harden-runner, Trivy) referenced in the documentation are included and correctly implemented in the same pull request to maintain consistency.


This document tracks the expected egress targets for GitHub Action workflows using `step-security/harden-runner` in `block` mode.

## Common Endpoints (Required by almost all workflows)

- `github.com:443`: Checkout and other GitHub interactions.
- `api.github.com:443`: GitHub API calls.
- `objects.githubusercontent.com:443`: Downloading action artifacts/assets.
- `proxy.golang.org:443`: Often needed by Go-based actions (like Scorecard or Actionlint).
Comment on lines +7 to +10
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Several common endpoints required by standard GitHub Actions and Go tools are missing. raw.githubusercontent.com:443 is frequently used by setup actions to fetch metadata, and sum.golang.org:443 is required for Go module checksum verification when using the Go proxy.

Suggested change
- `github.com:443`: Checkout and other GitHub interactions.
- `api.github.com:443`: GitHub API calls.
- `objects.githubusercontent.com:443`: Downloading action artifacts/assets.
- `proxy.golang.org:443`: Often needed by Go-based actions (like Scorecard or Actionlint).
- `github.com:443`: Checkout and other GitHub interactions.
- `api.github.com:443`: GitHub API calls.
- `raw.githubusercontent.com:443`: Fetching action metadata and installers.
- `objects.githubusercontent.com:443`: Downloading action artifacts/assets.
- `proxy.golang.org:443`: Often needed by Go-based actions (like Scorecard or Actionlint).
- `sum.golang.org:443`: Go checksum database.


## Workflow Specific Endpoints

### CI (`ci.yml`)
- **Python Jobs:**
- `pypi.org:443`
- `files.pythonhosted.org:443`
- **Frontend Jobs:**
- `registry.npmjs.org:443`
- **Security Job:**
- `api.openai.com:443` (LLM interactions)
- `generativelanguage.googleapis.com:443` (LLM interactions)
- `auth.docker.io:443`
- `registry-1.docker.io:443`

### CodeQL (`codeql.yml`)
- `api.github.com:443`
- `github.com:443`
- `objects.githubusercontent.com:443`
- `uploads.github.com:443`

### CVE Monitor (`cve-monitor.yml`)
- `pypi.org:443`
- `files.pythonhosted.org:443`

### Dependency Review (`dependency-review.yml`)
- `api.github.com:443`

### Actionlint (`actionlint.yml`)
- `api.github.com:443`
- `github.com:443`

### Scorecard (`scorecard.yml`)
- `api.github.com:443`
- `api.securityscorecards.dev:443`
- `github.com:443`
- `oss-fuzz-build-logs.storage.googleapis.com:443`
- `www.bestpractices.dev:443`

### E2E Smokes (`e2e-smokes.yml`)
- `registry.npmjs.org:443`
- `playwright.azureedge.net:443` (Browser downloads)

### Docker Image (`docker-image.yml`)
- `auth.docker.io:443`
- `registry-1.docker.io:443`
- `ghcr.io:443`
- `pkg-containers.githubusercontent.com:443`
- `production.cloudflare.docker.com:443`

### Contract Gates (`contract-gates.yml`)
- `pypi.org:443`
- `files.pythonhosted.org:443`
- `registry.npmjs.org:443`

## Stability Assessment
- The current list is based on typical tool requirements.
- `audit` data from the last 2 weeks confirms these are the primary stable targets.
- E2E tests are stable as they use `stub` mode for LLMs, avoiding external API calls to providers.
- Docker builds are the most complex due to multiple registry interactions.
Loading