From a2a67bf658d27a8c35725ac643c1d61f4a156e3b Mon Sep 17 00:00:00 2001 From: Ben Date: Thu, 30 Apr 2026 07:10:41 +0000 Subject: [PATCH] Block outbound calls from ci runners to unallowed endpoints --- .github/workflows/build.yml | 26 +++++++++-- .github/workflows/codeql-analysis.yml | 8 +++- .github/workflows/dependency-review.yml | 7 ++- .github/workflows/devcontainer.yml | 20 +++++++- .github/workflows/docs.yml | 40 +++++++++++++--- .github/workflows/python-publish.yml | 10 +++- .github/workflows/release.yml | 8 +++- .github/workflows/run.yml | 62 +++++++++++++++++++++++-- .github/workflows/scorecard.yml | 5 +- .github/workflows/test.yml | 32 ++++++++++++- 10 files changed, 191 insertions(+), 27 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a271b376..ff35a07d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,10 +22,21 @@ jobs: security-events: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + packages.microsoft.com:443 + azure.archive.ubuntu.com:80 + esm.ubuntu.com:443 + index.rubygems.org:443 + rubygems.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -207,10 +218,17 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0812e642..1b83265d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -34,10 +34,14 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bd2d544b..4cccf93b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,10 +16,13 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + api.github.com:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index e97880d4..d377e582 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -15,10 +15,26 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + registry.npmjs.org:443 + containers.dev:443 + mcr.microsoft.com:443 + *.data.mcr.microsoft.com:443 + _http._tcp.deb.debian.org:443 + deb.debian.org:443 + deb.debian.org:80 + debian.map.fastlydns.net:443 + debian.map.fastlydns.net:80 + index.rubygems.org:443 + rubygems.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 09b6dcd0..ab085454 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -16,10 +16,17 @@ jobs: name: Documentation runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + plantuml.com:80 + plantuml.com:443 + www.plantuml.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -41,10 +48,17 @@ jobs: name: Landing page runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + plantuml.com:80 + plantuml.com:443 + www.plantuml.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -75,10 +89,24 @@ jobs: permissions: contents: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + _http._tcp.azure.archive.ubuntu.com:443 + _https._tcp.archive.ubuntu.com:443 + _https._tcp.security.ubuntu.com:443 + archive.ubuntu.com:443 + azure.archive.ubuntu.com:443 + azure.archive.ubuntu.com:80 + files.pythonhosted.org:443 + github.com:443 + plantuml.com:443 + plantuml.com:80 + pypi.org:443 + security.ubuntu.com:443 + www.plantuml.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 87a3b6ac..8e6d086b 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -20,10 +20,16 @@ jobs: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e4e6e8ff..ca59c7e4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,7 +23,13 @@ jobs: steps: - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index f98bdcb3..333dfdbd 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -15,10 +15,16 @@ jobs: security-events: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + github.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -73,10 +79,58 @@ jobs: security-events: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + _http._tcp.azure.archive.ubuntu.com:443 + _https._tcp.archive.ubuntu.com:443 + _https._tcp.dl.google.com:443 + _https._tcp.esm.ubuntu.com:443 + _https._tcp.motd.ubuntu.com:443 + _https._tcp.packages.microsoft.com:443 + _https._tcp.security.ubuntu.com:443 + 0.pool.ntp.org:443 + api.apple-cloudkit.com:443 + api.github.com:443 + archive.ubuntu.com:443 + azure.archive.ubuntu.com:443 + azure.archive.ubuntu.com:80 + cfhcable.dl.sourceforge.net:443 + community.chocolatey.org:443 + community.chocolatey.org:80 + cytranet-dal.dl.sourceforge.net:443 + dc.services.visualstudio.com:443 + dl.google.com:443 + downloads.sourceforge.net:443 + esm.ubuntu.com:443 + fe2cr.update.microsoft.com:443 + files.pythonhosted.org:443 + formulae.brew.sh:443 + gdmf.apple.com:443 + ghcr.io:443 + gigenet.dl.sourceforge.net:443 + github.com:443 + init.itunes.apple.com:443 + mask.icloud.com:443 + mesu.apple.com:443 + mirrors.ctan.org:443 + mobile.events.data.microsoft.com:443 + motd.ubuntu.com:443 + netactuate.dl.sourceforge.net:443 + ocsp.sectigo.com:80 + ocsp2.apple.com:443 + packages.chocolatey.org:443 + packages.microsoft.com:443 + pilotfiber.dl.sourceforge.net:443 + pkg-containers.githubusercontent.com:443 + psychz.dl.sourceforge.net:443 + pypi.org:443 + release-assets.githubusercontent.com:443 + security.ubuntu.com:443 + sourceforge.net:443 + ziglang.org:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index c5e31497..050c4ff0 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -26,10 +26,11 @@ jobs: id-token: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ - name: "Checkout code" uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 416a1d8b..33d7ccf1 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -10,10 +10,38 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Harden the runner (Audit all outbound calls) + - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: >+ + dl.google.com:443 + packages.microsoft.com:443 + azure.archive.ubuntu.com:80 + esm.ubuntu.com:443 + pypi.org:443 + files.pythonhosted.org:443 + github.com:443 + github.com:22 + svn.code.sf.net:3690 + svn.code.sf.net:443 + release-assets.githubusercontent.com:443 + coverage.codacy.com:443 + artifacts.codacy.com:443 + api.codacy.com:443 + _https._tcp.packages.microsoft.com:443 + _https._tcp.dl.google.com:443 + _http._tcp.azure.archive.ubuntu.com:443 + azure.archive.ubuntu.com:443 + _https._tcp.motd.ubuntu.com:443 + motd.ubuntu.com:443 + _https._tcp.esm.ubuntu.com:443 + _https._tcp.archive.ubuntu.com:443 + archive.ubuntu.com:443 + _https._tcp.security.ubuntu.com:443 + security.ubuntu.com:443 + dfetch.invalid:443 + giiiiiidhub.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2