Merge pull request #867 from sjinks/harden-workflows

ci: harden release workflow
sjinks · Sep 9, 2024 · 5852042 · 5852042
2 parents eac5948 + 4d906b5
commit 5852042
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/.github/workflows/push-tag.yml b/.github/workflows/push-tag.yml
@@ -20,7 +20,15 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            packagist.org:443
+            rekor.sigstore.dev:443
+            repo.packagist.org:443
+            uploads.github.com:443
 
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -59,8 +67,14 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
-          disable-sudo: true
-          egress-policy: audit
+          disable-file-monitoring: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            packagist.org:443
+            plugins.svn.wordpress.org:443
+            repo.packagist.org:443
 
       - name: Check out
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7