Skip to content

Block outbound calls from ci runners to unallowed endpoints #1175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
spoorcc wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Block outbound calls from ci runners to unallowed endpoints #1175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,21 @@ jobs:
security-events: write

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
packages.microsoft.com:443
azure.archive.ubuntu.com:80
esm.ubuntu.com:443
index.rubygems.org:443
rubygems.org:443
Comment on lines +25 to +39
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and read the full build.yml workflow file
find . -name "build.yml" -path "*/.github/workflows/*" | head -1

Repository: dfetch-org/dfetch

Length of output: 91

🏁 Script executed:

# Read the full workflow file to understand the build job
cat -n .github/workflows/build.yml

Repository: dfetch-org/dfetch

Length of output: 11235

🏁 Script executed:

# Search for specific commands mentioned in the review
rg "choco install|dotnet tool install|softprops/action-gh-release" .github/workflows/build.yml -A 2 -B 2

Repository: dfetch-org/dfetch

Length of output: 916

🌐 Web query:

Chocolatey choco install default feed endpoint community.chocolatey.org

💡 Result:

The default Chocolatey feed endpoint for community packages is: https://community.chocolatey.org/api/v2/ So your command corresponds to explicitly using the Community Repository (community feed) OData v2 endpoint.

Citations:

🌐 Web query:

dotnet tool install NuGet feed endpoints api.nuget.org

💡 Result:

The dotnet tool install command uses NuGet feeds, with api.nuget.org (nuget.org) as the default public feed. It first fetches the V3 service index at https://api.nuget.org/v3/index.json to discover available resources and endpoints. Key endpoints used include: - Service Index: https://api.nuget.org/v3/index.json (entry point listing all resources like SearchQueryService, PackageBaseAddress, RegistrationsBaseUrl). - SearchQueryService: e.g., https://api-v2v3search-0.nuget.org/query (for package search and version resolution, specifically via NugetToolSearchApiRequest; filters for dotnet-tool packageType). - PackageBaseAddress: https://api.nuget.org/v3-flatcontainer/ (for downloading .nupkg files, e.g., https://api.nuget.org/v3-flatcontainer/{LOWER_ID}/{LOWER_VERSION}/{LOWER_ID}.{LOWER_VERSION}.nupkg). - RegistrationsBaseUrl: https://api.nuget.org/v3/registration2/ (for package metadata). If no version is specified, it queries the search endpoint on nuget.org first (fails if blocked without --version). Use --source, --add-source, or --ignore-failed-sources to control feeds. Official docs confirm dotnet tool install resolves packages via standard NuGet V3 protocol from configured sources, defaulting to nuget.org.

Citations:

🌐 Web query:

GitHub softprops/action-gh-release upload endpoint uploads.github.com

💡 Result:

softprops/action-gh-release uploads release assets to GitHub Releases using the upload_url returned by the Releases API (a hypermedia resource). For GitHub.com, the “uploads” host you referenced (uploads.github.com) is used by the Release assets upload endpoint: POST https://uploads.github.com/repos/{owner}/{repo}/releases/{release_id}/assets This is documented as the “Upload a release asset” endpoint; GitHub expects the raw binary asset in the request body (not JSON), with appropriate Content-Type and authentication. How this maps to softprops/action-gh-release 1) The action creates (or fetches) the release. 2) It uses the release’s upload_url (returned by the Releases API) to upload each file specified via with.files. 3) The action exposes upload_url as an output (“upload_url”). So, the key point is: softprops/action-gh-release does not hardcode uploads.github.com; it uses the upload_url provided by GitHub for the specific release, whose upload host is typically uploads.github.com.

Citations:

Add missing Windows package and release upload endpoints to the allowlist.

The Windows build jobs run choco install zig (line 53) and dotnet tool install --global wix (line 73), which require community.chocolatey.org and api.nuget.org respectively. The later softprops/action-gh-release step (line 128) uploads assets via uploads.github.com. These three endpoints are absent from the current allowlist and will cause failures under egress block mode.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yml around lines 25 - 39, The runner hardening step
using step-security/harden-runner currently sets allowed-endpoints in the job
block but is missing endpoints needed by the Windows jobs; update the
allowed-endpoints list used by the harden-runner step (the block with uses:
step-security/harden-runner and with: allowed-endpoints) to include
community.chocolatey.org:443, api.nuget.org:443, and uploads.github.com:443 so
choco install, dotnet tool install --global wix, and softprops/action-gh-release
asset uploads succeed under egress-policy: block.


Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down Expand Up @@ -207,10 +218,17 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443


- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,14 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,13 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
api.github.com:443
github.com:443

- name: 'Checkout Repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
20 changes: 18 additions & 2 deletions .github/workflows/devcontainer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,26 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
github.com:443
registry-1.docker.io:443
auth.docker.io:443
production.cloudflare.docker.com:443
registry.npmjs.org:443
containers.dev:443
mcr.microsoft.com:443
*.data.mcr.microsoft.com:443
_http._tcp.deb.debian.org:443
deb.debian.org:443
deb.debian.org:80
debian.map.fastlydns.net:443
debian.map.fastlydns.net:80
index.rubygems.org:443
rubygems.org:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
40 changes: 34 additions & 6 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,17 @@ jobs:
name: Documentation
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
github.com:443
pypi.org:443
files.pythonhosted.org:443
plantuml.com:80
plantuml.com:443
www.plantuml.com:80

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand All @@ -41,10 +48,17 @@ jobs:
name: Landing page
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
github.com:443
pypi.org:443
files.pythonhosted.org:443
plantuml.com:80
plantuml.com:443
www.plantuml.com:80

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Expand Down Expand Up @@ -75,10 +89,24 @@ jobs:
permissions:
contents: write
steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
_http._tcp.azure.archive.ubuntu.com:443
_https._tcp.archive.ubuntu.com:443
_https._tcp.security.ubuntu.com:443
archive.ubuntu.com:443
azure.archive.ubuntu.com:443
azure.archive.ubuntu.com:80
files.pythonhosted.org:443
github.com:443
plantuml.com:443
plantuml.com:80
pypi.org:443
security.ubuntu.com:443
www.plantuml.com:80
Comment on lines +92 to +109
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/docs.yml

Repository: dfetch-org/dfetch

Length of output: 5214

🌐 Web query:

GitHub release asset upload endpoint uploads.github.com softprops/action-gh-release

💡 Result:

The GitHub release asset upload endpoint is POST /repos/{owner}/{repo}/releases/{release_id}/assets, but the actual URL is dynamic and provided as the 'upload_url' in the response from the Create a release API endpoint (e.g., https://uploads.github.com/repos/OWNER/REPO/releases/RELEASE_ID/assets?X-Amz-Algorithm=... etc., with presigned parameters). It requires headers like Content-Type (e.g., application/zip), Content-Length, and authentication (e.g., Authorization: token ...). The raw binary file is sent in the request body. The softprops/action-gh-release GitHub Action handles creating/updating releases and uploading assets via the 'files' input (newline-delimited globs). It uses the GitHub Release API internally, including the upload_url for assets, and outputs the upload_url among others. It can upload to existing releases if the tag matches. Example curl from official docs: curl -L -X POST https://uploads.github.com/repos/OWNER/REPO/releases/RELEASE_ID/assets?name=example.zip -H 'Authorization: token XXX' -H 'Content-Type: application/zip' --data-binary @example.zip

Citations:

Add uploads.github.com:443 to the egress allowlist for the PDF job.

The pdf job uses softprops/action-gh-release to upload release assets, which requires access to uploads.github.com for the asset upload endpoint. Without this endpoint in the allowlist, the publish step will fail once egress is switched to block mode.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docs.yml around lines 92 - 102, Add uploads.github.com:443
to the allowed-endpoints list used by the "Harden the runner (Block egress
traffic: Only allow calls to allowed endpoints)" step (uses:
step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40) for the
pdf job, because the pdf job's publisher (softprops/action-gh-release) needs to
reach uploads.github.com to upload release assets; update the allowed-endpoints
block to include the entry uploads.github.com:443 so the publish step can
complete when egress-policy is block.


- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/python-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,16 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,13 @@ jobs:
steps:
- uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
Expand Down
62 changes: 58 additions & 4 deletions .github/workflows/run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,16 @@ jobs:
security-events: write

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
github.com:443
api.github.com:443
release-assets.githubusercontent.com:443
pypi.org:443
files.pythonhosted.org:443

Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Expand Down Expand Up @@ -73,10 +79,58 @@ jobs:
security-events: write

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
_http._tcp.azure.archive.ubuntu.com:443
_https._tcp.archive.ubuntu.com:443
_https._tcp.dl.google.com:443
_https._tcp.esm.ubuntu.com:443
_https._tcp.motd.ubuntu.com:443
_https._tcp.packages.microsoft.com:443
_https._tcp.security.ubuntu.com:443
0.pool.ntp.org:443
api.apple-cloudkit.com:443
api.github.com:443
archive.ubuntu.com:443
azure.archive.ubuntu.com:443
azure.archive.ubuntu.com:80
cfhcable.dl.sourceforge.net:443
community.chocolatey.org:443
community.chocolatey.org:80
cytranet-dal.dl.sourceforge.net:443
dc.services.visualstudio.com:443
dl.google.com:443
downloads.sourceforge.net:443
esm.ubuntu.com:443
fe2cr.update.microsoft.com:443
files.pythonhosted.org:443
formulae.brew.sh:443
gdmf.apple.com:443
ghcr.io:443
gigenet.dl.sourceforge.net:443
github.com:443
init.itunes.apple.com:443
mask.icloud.com:443
mesu.apple.com:443
mirrors.ctan.org:443
mobile.events.data.microsoft.com:443
motd.ubuntu.com:443
netactuate.dl.sourceforge.net:443
ocsp.sectigo.com:80
ocsp2.apple.com:443
packages.chocolatey.org:443
packages.microsoft.com:443
pilotfiber.dl.sourceforge.net:443
pkg-containers.githubusercontent.com:443
psychz.dl.sourceforge.net:443
pypi.org:443
release-assets.githubusercontent.com:443
security.ubuntu.com:443
sourceforge.net:443
ziglang.org:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@ jobs:
id-token: write

steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment on lines +29 to +33
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat .github/workflows/scorecard.yml | head -60

Repository: dfetch-org/dfetch

Length of output: 2150

🏁 Script executed:

# Check if there's more context in the workflow or if endpoints are defined elsewhere
rg -A 10 "allowed-endpoints" .github/workflows/scorecard.yml

Repository: dfetch-org/dfetch

Length of output: 424

🌐 Web query:

step-security harden-runner block mode empty allowed-endpoints behavior

💡 Result:

In StepSecurity's Harden-Runner GitHub Action, when using block mode (egress-policy: block) with an empty allowed-endpoints list (default is ""), Harden-Runner blocks all outbound network connections except those automatically allowed for its own operation (e.g., to StepSecurity APIs over TLS, which do not need explicit addition). Any other outbound traffic to endpoints not explicitly listed is blocked at DNS (Layer 7) and network layers (Layers 3/4), including DNS exfiltration attempts. This creates a restrictive deny-by-default policy, preventing data exfiltration. Workflows typically fail if they require external network access without allowed endpoints configured, as seen in guides for fixing blocked endpoints by adding legitimate ones after audit mode. Examples always include specific endpoints like github.com:443 when using block mode. Policy Store can centralize allowlists, but local empty list takes precedence and enforces strict blocking.

Citations:

🌐 Web query:

actions/checkout network calls github.com egress

💡 Result:

The actions/checkout GitHub Action makes outbound network calls to github.com domains during execution, specifically to api.github.com and related endpoints. Primary network egress: - Git protocol fetches/clones/pushes to github.com (ports 22/443), using GITHUB_TOKEN or SSH key for authentication. This is the default behavior when Git is available (version 2.18+). - HTTPS git operations to github.com. Additional calls when Git is unavailable or fallback triggered: - REST API calls to api.github.com to get default branch (octokit.rest.repos.get) and download archive (downloadTarballArchive or downloadZipballArchive). - These use @actions/github library with auth token. Observed endpoints from runtime analysis (StepSecurity data on public workflows): - github.com, api.github.com, github-cloud.githubusercontent.com, objects-origin.githubusercontent.com, patch-diff.githubusercontent.com (GitHub-owned). - Incidental calls to other domains (e.g., googlesource.com mirrors for Git deps, package registries) appear in aggregate data but are not core to checkout logic; likely from Git internals, LFS, submodules, or runner environment. No calls to arbitrary external sites; all core traffic is to GitHub services. Egress is necessary for repository fetch. For self-hosted runners with strict policies, allow api.github.com:443, github.com:22/443, and githubusercontent.com domains. Sources confirm via source code inspection and monitoring tools.

Citations:

🏁 Script executed:

# Check if there are any other harden-runner configurations in the repo that show examples
rg "harden-runner" .github/workflows/ -A 5 -B 2

Repository: dfetch-org/dfetch

Length of output: 8301

Add allowed GitHub endpoints to unblock the workflow.

The allowed-endpoints list is empty, and with egress-policy: block, harden-runner will block all outbound traffic. The actions/checkout step immediately following requires access to github.com and api.github.com. Populate allowed-endpoints with at least:

github.com:443
api.github.com:443

Or use the recommended policy approach from the step-security/harden-runner documentation.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 29 - 33, The workflow currently
sets the harden-runner step (uses: step-security/harden-runner) with
egress-policy: block but leaves allowed-endpoints empty, which blocks outbound
calls required by actions/checkout; update the allowed-endpoints value for that
harden-runner invocation to include at minimum github.com:443 and
api.github.com:443 (or apply the recommended allowed endpoints policy from the
step-security/harden-runner docs) so actions/checkout and GitHub API calls are
permitted.


- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
32 changes: 30 additions & 2 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,38 @@ jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
- name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >+
Comment thread
coderabbitai[bot] marked this conversation as resolved.
dl.google.com:443
packages.microsoft.com:443
azure.archive.ubuntu.com:80
esm.ubuntu.com:443
pypi.org:443
files.pythonhosted.org:443
github.com:443
github.com:22
svn.code.sf.net:3690
svn.code.sf.net:443
release-assets.githubusercontent.com:443
coverage.codacy.com:443
artifacts.codacy.com:443
api.codacy.com:443
_https._tcp.packages.microsoft.com:443
_https._tcp.dl.google.com:443
_http._tcp.azure.archive.ubuntu.com:443
azure.archive.ubuntu.com:443
_https._tcp.motd.ubuntu.com:443
motd.ubuntu.com:443
_https._tcp.esm.ubuntu.com:443
_https._tcp.archive.ubuntu.com:443
archive.ubuntu.com:443
_https._tcp.security.ubuntu.com:443
security.ubuntu.com:443
dfetch.invalid:443
giiiiiidhub.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Expand Down
Loading