From 313c78a182a6dbbae8e4e0cc0ce9dbd29657ef3f Mon Sep 17 00:00:00 2001 From: "Sean R. Abraham" Date: Thu, 14 Nov 2024 08:39:10 -0500 Subject: [PATCH] allow harden-runner to connect to any github subdomains https://github.com/burningmantech/ranger-ims-server/pull/1410#issuecomment-2476297519 --- .github/workflows/cicd.yml | 25 ++++++++++++------------- .github/workflows/deploy.yml | 8 ++++---- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 744436c4c..2fa0363cc 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -27,10 +27,10 @@ jobs: disable-file-monitoring: true egress-policy: block allowed-endpoints: > - api.github.com:443 + *.github.com:443 + *.githubusercontent.com:443 files.pythonhosted.org:443 github.com:443 - objects.githubusercontent.com:443 pypi.org:443 - name: Checkout source code @@ -74,10 +74,10 @@ jobs: disable-file-monitoring: true egress-policy: block allowed-endpoints: > - api.github.com:443 + *.github.com:443 + *.githubusercontent.com:443 files.pythonhosted.org:443 github.com:443 - objects.githubusercontent.com:443 pypi.org:443 - name: Checkout source code @@ -115,10 +115,10 @@ jobs: disable-file-monitoring: true egress-policy: block allowed-endpoints: > - api.github.com:443 + *.github.com:443 + *.githubusercontent.com:443 files.pythonhosted.org:443 github.com:443 - objects.githubusercontent.com:443 pypi.org:443 - name: Checkout source code @@ -189,11 +189,11 @@ jobs: egress-policy: block allowed-endpoints: > *.codecov.io:443 - api.github.com:443 + *.github.com:443 + *.githubusercontent.com:443 codecov.io:443 files.pythonhosted.org:443 github.com:443 - objects.githubusercontent.com:443 pypi.org:443 storage.googleapis.com:443 @@ -308,7 +308,7 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > - api.github.com:443 + *.github.com:443 auth.docker.io:443 dl-cdn.alpinelinux.org:443 files.pythonhosted.org:443 @@ -350,7 +350,7 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > - api.github.com:443 + *.github.com:443 auth.docker.io:443 github.com:443 production.cloudflare.docker.com:443 @@ -421,6 +421,8 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + *.github.com:443 + *.githubusercontent.com:443 655216687927.dkr.ecr.us-west-2.amazonaws.com:443 api.ecr.us-west-2.amazonaws.com:443 ecs.us-west-2.amazonaws.com:443 @@ -428,9 +430,6 @@ jobs: files.pythonhosted.org:443 github.com:443 pypi.org:443 - raw.githubusercontent.com:443 - api.github.com:443 - objects.githubusercontent.com:443 - name: Checkout source code uses: actions/checkout@v4 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 89158c99a..d9db35426 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,14 +20,13 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + *.github.com:443 + *.githubusercontent.com:443 ecs.us-west-2.amazonaws.com:443 files.pythonhosted.org:443 github.com:443 pypi.org:443 - raw.githubusercontent.com:443 sts.us-west-2.amazonaws.com:443 - api.github.com:443 - objects.githubusercontent.com:443 - name: Check user if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }} @@ -85,11 +84,12 @@ jobs: disable-sudo: true egress-policy: block allowed-endpoints: > + *.github.com:443 + *.githubusercontent.com:443 ecs.us-west-2.amazonaws.com:443 files.pythonhosted.org:443 github.com:443 pypi.org:443 - raw.githubusercontent.com:443 sts.us-west-2.amazonaws.com:443 - name: Check user