From 1005d93b7e441600d1a8b3df562a25fa13df03b6 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Mon, 5 Aug 2024 09:31:25 +0200 Subject: [PATCH] Update `step-security/harden-runner` configuration (#1271) While apparently the build doesn't fail without this, it is reasonable for SonarCloud analysis to access the two additional domains. While there, introduce subdomain wildcards for `sigstore.dev` and `sonarcloud.io`. --- .github/workflows/openssf-scorecard.yml | 4 +--- .github/workflows/sonarcloud.yml | 5 +++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 083a6ea7cf..ca35f29390 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -30,11 +30,9 @@ jobs: api.osv.dev:443 api.scorecard.dev:443 api.securityscorecards.dev:443 - fulcio.sigstore.dev:443 github.com:443 oss-fuzz-build-logs.storage.googleapis.com:443 - rekor.sigstore.dev:443 - tuf-repo-cdn.sigstore.dev:443 + *.sigstore.dev:443 www.bestpractices.dev:443 - name: Check out code uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index ba2ec826f0..47ae810973 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -24,14 +24,15 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + analysis-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 api.adoptium.net:443 - api.sonarcloud.io:443 + api.nuget.org:443 ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 github.com:443 objects.githubusercontent.com:443 repo.maven.apache.org:443 sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 - scanner.sonarcloud.io:443 + *.sonarcloud.io:443 sonarcloud.io:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@489441643219d2b93ee2a127b2402eb640a1b947 # v1.13.0