Skip to content

Commit

Permalink
fix: Allow more endpoints in Hardened Runner.
Browse files Browse the repository at this point in the history
  • Loading branch information
@yonas
yonas committed Nov 27, 2024
1 parent 32f8f87 commit 1d92936
Show file tree
Hide file tree
Showing 9 changed files with 103 additions and 13 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/changelog.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
index.crates.io:443
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down
72 changes: 62 additions & 10 deletions .github/workflows/cross-build.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,16 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
azure.archive.ubuntu.com:80
changelogs.ubuntu.com:443
esm.ubuntu.com:443
security.ubuntu.com:80
packages.microsoft.com:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -69,7 +79,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -82,6 +91,18 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
azure.archive.ubuntu.com:80
changelogs.ubuntu.com:443
esm.ubuntu.com:443
packages.microsoft.com
0.freebsd.pool.ntp.org:443
2.freebsd.pool.ntp.org:443
pkg.freebsd.org:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down Expand Up @@ -125,7 +146,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -138,6 +158,19 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
azure.archive.ubuntu.com:80
changelogs.ubuntu.com:443
esm.ubuntu.com:443
packages.microsoft.com:443
cdn.openbsd.org
pool.ntp.org:443
time.cloudflare.com:443
www.google.com:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -156,11 +189,6 @@ jobs:
ls -lah
whoami
env
freebsd-version
sysctl hw.model
sysctl hw.ncpu
sysctl hw.physmem
sysctl hw.usermem
cargo test --all-features
netbsd:
Expand All @@ -171,7 +199,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -184,6 +211,19 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
archive.ubuntu.com:80
azure.archive.ubuntu.com:80
changelogs.ubuntu.com:443
esm.ubuntu.com:443
packages.microsoft.com:443
security.ubuntu.com:80
2.netbsd.pool.ntp.org:443
cdn.NetBSD.org:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down Expand Up @@ -213,7 +253,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -226,6 +265,11 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
dl-cdn.alpinelinux.org:80
gitlab.alpinelinux.org:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -249,7 +293,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -262,6 +305,15 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
2.netbsd.pool.ntp.org:443
archlinux.org:443
geo.mirror.pkgbuild.com:443
openpgpkey.archlinux.org:443
- name: Checkout sources
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
index.crates.io:443
- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/licenses.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # nightly
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/lint.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
index.crates.io:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6
Expand Down Expand Up @@ -76,6 +79,10 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
index.crates.io:443
static.crates.io:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6
Expand Down
11 changes: 10 additions & 1 deletion .github/workflows/release-packaging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
Expand All @@ -31,6 +30,16 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
azure.archive.ubuntu.com:80
changelogs.ubuntu.com:443
esm.ubuntu.com:443
security.ubuntu.com:80
packages.microsoft.com:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # stable
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scorecard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
index.crates.io:443
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/security.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # stable
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/test-with-coverage.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,12 @@ jobs:
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
objects.githubusercontent.com:443
static.rust-lang.org:443
static.crates.io:443
index.crates.io:443
just.systems:443
taskfile.dev:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Expand Down Expand Up @@ -72,7 +78,7 @@ jobs:
- name: Install dependencies
run: |
curl --proto '=https' --tlsv1.3 -sSf https://just.systems/install.sh | bash -s -- --to /usr/local/bin
sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d && sudo mv bin/task /usr/local/bin/
sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d && mv bin/task /usr/local/bin/
- name: Run tests
env:
Expand All @@ -84,7 +90,6 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
curl --proto '=https' --tlsv1.3 -sSf https://raw.githubusercontent.com/yonasBSD/rust-ci-github-actions-workflow/refs/heads/main/install.sh | sh -s -- --to /usr/local/bin
cargo clean
cargo test $CARGO_OPTIONS -- -Z unstable-options --format json | cargo2junit > results.xml;
cargo llvm-cov --all-features --workspace --codecov --output-path ./codecov.json
Expand Down

0 comments on commit 1d92936

Please sign in to comment.