Skip to content

Commit

Permalink
Update step-security/harden-runner configuration (#1271)
Browse files Browse the repository at this point in the history 
While apparently the build doesn't fail without this, it is reasonable
for SonarCloud analysis to access the two additional domains.

While there, introduce subdomain wildcards for `sigstore.dev` and
`sonarcloud.io`.
  • Loading branch information
@Stephan202
Stephan202 authored Aug 5, 2024
1 parent 136123f commit 1005d93
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 5 deletions.
4 changes: 1 addition & 3 deletions .github/workflows/openssf-scorecard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,9 @@ jobs:
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
*.sigstore.dev:443
www.bestpractices.dev:443
- name: Check out code
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/sonarcloud.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,15 @@ jobs:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
api.adoptium.net:443
api.sonarcloud.io:443
api.nuget.org:443
ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
github.com:443
objects.githubusercontent.com:443
repo.maven.apache.org:443
sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
scanner.sonarcloud.io:443
*.sonarcloud.io:443
sonarcloud.io:443
- name: Check out code and set up JDK and Maven
uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0
Expand Down

0 comments on commit 1005d93

Please sign in to comment.