Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce GitHub Actions step-security/harden-runner step #1063

Merged
merged 1 commit into from
Mar 11, 2024
Merged

Introduce GitHub Actions step-security/harden-runner step #1063

merged 1 commit into from
Mar 11, 2024

Conversation

Stephan202
Copy link
Member

@Stephan202 Stephan202 commented Mar 2, 2024
edited
Loading

See these steps for context. I noticed this feature when checking the Byte Buddy GHA setup.

Suggested commit message:

Introduce GitHub Actions `step-security/harden-runner` step (#1063)

@Stephan202 Stephan202 added this to the 0.16.0 milestone Mar 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

2 similar comments
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Stephan202 Stephan202 force-pushed the sschroevers/harden-runner branch from 58d59b8 to ae8cc49 Compare March 2, 2024 15:55
@Stephan202 Stephan202 changed the title Introduce GHA step-security/harden-runner step in audit mode Introduce GitHub Actions step-security/harden-runner step Mar 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 2, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

Stephan202
Stephan202 commented Mar 2, 2024
View reviewed changes
Copy link
Member Author

@Stephan202 Stephan202 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rebased the website branch on this branch to validate the deploy-website.yml changes.

.github/workflows/deploy-website.yml
Comment on lines +14 to +40
- name: Install Harden-Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.adoptium.net:443
api.github.com:443
bestpractices.coreinfrastructure.org:443
blog.picnic.nl:443
errorprone.info:443
github.com:443
img.shields.io:443
index.rubygems.org:443
jitpack.io:443
maven.apache.org:443
objects.githubusercontent.com:443
pitest.org:443
repo.maven.apache.org:443
rubygems.org:443
search.maven.org:443
securityscorecards.dev:443
sonarcloud.io:443
www.baeldung.com:443
www.bestpractices.dev:443
www.youtube.com:443
youtrack.jetbrains.com:443
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quite a large list because of htmlproofer. While testing I did notice that when executed from a GitHub server (not locally), StackOverflow returns a 403. So I excluded that domain.

.github/workflows/pitest-update-pr.yml
Comment on lines +22 to +26
- name: Install Harden-Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
# XXX: Replace with `block` policy.
egress-policy: audit
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below: to be updated once we triggered these jobs from master. Easiest way to test.

mohamedsamehsalah
mohamedsamehsalah approved these changes Mar 3, 2024
View reviewed changes
Copy link
Contributor

@mohamedsamehsalah mohamedsamehsalah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎸 🎸 🎸

rickie
rickie approved these changes Mar 11, 2024
View reviewed changes
Copy link
Member

@rickie rickie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to introduce other changes that they propose?

step-security-bot@c0ede2c

Nice improvements!

@rickie rickie force-pushed the sschroevers/harden-runner branch from ae8cc49 to e91dcc5 Compare March 11, 2024 12:54
@github-actions GitHub Actions
Copy link

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@Stephan202
Copy link
Member Author

Do we want to introduce other changes that they propose?

step-security-bot@c0ede2c

Nice improvements!

Discussed offline: some of these we may follow-up on, others we've covered through other means. But for now we wish to merge the PR as-is.

@Stephan202 Stephan202 merged commit 3b005b0 into master Mar 11, 2024
15 checks passed
@Stephan202 Stephan202 deleted the sschroevers/harden-runner branch March 11, 2024 20:43
@Stephan202 Stephan202 added the chore A task not related to code (build, formatting, process, ...) label Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mohamedsamehsalah mohamedsamehsalah mohamedsamehsalah approved these changes

@rickie rickie rickie approved these changes

Assignees
No one assigned
Labels
chore A task not related to code (build, formatting, process, ...)
Milestone
0.16.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Stephan202 @rickie @mohamedsamehsalah