From 3b005b0edc2423ed6a872ef7828200a939806537 Mon Sep 17 00:00:00 2001 From: Stephan Schroevers Date: Mon, 11 Mar 2024 21:43:54 +0100 Subject: [PATCH] Introduce GitHub Actions `step-security/harden-runner` step (#1063) --- .github/workflows/build.yml | 9 ++++++ .github/workflows/codeql.yml | 9 ++++++ .github/workflows/deploy-website.yml | 34 +++++++++++++++++++++ .github/workflows/openssf-scorecard.yml | 9 ++++++ .github/workflows/pitest-analyze-pr.yml | 8 +++++ .github/workflows/pitest-update-pr.yml | 5 +++ .github/workflows/run-integration-tests.yml | 5 +++ .github/workflows/sonarcloud.yml | 12 ++++++++ 8 files changed, 91 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bb06f94bb4..e2a2642306 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,15 @@ jobs: runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + jitpack.io:443 + repo.maven.apache.org:443 # We run the build twice for each supported JDK: once against the # original Error Prone release, using only Error Prone checks available # on Maven Central, and once against the Picnic Error Prone fork, diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1a1e8e3773..2b6094290f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,6 +21,15 @@ jobs: security-events: write runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + repo.maven.apache.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/deploy-website.yml b/.github/workflows/deploy-website.yml index 8191ee812b..23ebc170fd 100644 --- a/.github/workflows/deploy-website.yml +++ b/.github/workflows/deploy-website.yml @@ -11,6 +11,33 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.adoptium.net:443 + api.github.com:443 + bestpractices.coreinfrastructure.org:443 + blog.picnic.nl:443 + errorprone.info:443 + github.com:443 + img.shields.io:443 + index.rubygems.org:443 + jitpack.io:443 + maven.apache.org:443 + objects.githubusercontent.com:443 + pitest.org:443 + repo.maven.apache.org:443 + rubygems.org:443 + search.maven.org:443 + securityscorecards.dev:443 + sonarcloud.io:443 + www.baeldung.com:443 + www.bestpractices.dev:443 + www.youtube.com:443 + youtrack.jetbrains.com:443 - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -46,6 +73,13 @@ jobs: name: github-pages url: ${{ steps.deployment.outputs.page_url }} steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Deploy to GitHub Pages id: deployment uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4 diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 03c553c75b..f356eed3c3 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -20,6 +20,15 @@ jobs: id-token: write runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + github.com:443 - name: Check out code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml index 6f05346361..d0763aeba6 100644 --- a/.github/workflows/pitest-analyze-pr.yml +++ b/.github/workflows/pitest-analyze-pr.yml @@ -11,6 +11,14 @@ jobs: analyze-pr: runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + repo.maven.apache.org:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml index 0b2c6069cb..fbf484229c 100644 --- a/.github/workflows/pitest-update-pr.yml +++ b/.github/workflows/pitest-update-pr.yml @@ -19,6 +19,11 @@ jobs: pull-requests: write runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + # XXX: Replace with `block` policy. + egress-policy: audit - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/run-integration-tests.yml b/.github/workflows/run-integration-tests.yml index 2ab858f931..f95f2dc330 100644 --- a/.github/workflows/run-integration-tests.yml +++ b/.github/workflows/run-integration-tests.yml @@ -18,6 +18,11 @@ jobs: github.event.issue.pull_request && contains(github.event.comment.body, '/integration-test') runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + # XXX: Replace with `block` policy. + egress-policy: audit - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index b6781e90fb..1a7722b1af 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -18,6 +18,18 @@ jobs: contents: read runs-on: ubuntu-22.04 steps: + - name: Install Harden-Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443 + github.com:443 + repo.maven.apache.org:443 + sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443 + scanner.sonarcloud.io:443 + sonarcloud.io:443 - name: Check out code and set up JDK and Maven uses: s4u/setup-maven-action@6d44c18d67d9e1549907b8815efa5e4dada1801b # v1.12.0 with: