diff --git a/.github/workflows/autolabeler.yaml b/.github/workflows/autolabeler.yaml index 4c03977..d5c228e 100644 --- a/.github/workflows/autolabeler.yaml +++ b/.github/workflows/autolabeler.yaml @@ -50,12 +50,28 @@ jobs: timeout-minutes: 3 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: release-drafter/release-drafter/autolabeler@c2e2804cc59f45f57076a99af580d0fedb697927 # v7.3.0 diff --git a/.github/workflows/build-test-release.yaml b/.github/workflows/build-test-release.yaml index 56945db..4cbe908 100644 --- a/.github/workflows/build-test-release.yaml +++ b/.github/workflows/build-test-release.yaml @@ -27,13 +27,29 @@ jobs: pull-requests: read timeout-minutes: 5 steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -60,13 +76,29 @@ jobs: tag: "${{ steps.tag-validate.outputs.tag_name }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Checkout repository' # yamllint disable-line rule:line-length uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -128,13 +160,29 @@ jobs: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -159,13 +207,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -188,13 +252,29 @@ jobs: timeout-minutes: 10 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -214,13 +294,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -260,13 +356,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: "Download SBOM artefact" # yamllint disable-line rule:line-length uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 @@ -433,13 +545,29 @@ jobs: timeout-minutes: 5 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Test PyPI publishing' # yamllint disable-line rule:line-length uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23 # v0.1.6 @@ -462,13 +590,29 @@ jobs: timeout-minutes: 5 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'PyPI release' # yamllint disable-line rule:line-length uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23 # v0.1.6 @@ -501,13 +645,29 @@ jobs: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -541,13 +701,29 @@ jobs: release_url: "${{ steps.promote-release.outputs.release_url || steps.set-promoted-url.outputs.release_url }}" steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/build-test.yaml b/.github/workflows/build-test.yaml index 6e0c3fb..e572e8c 100644 --- a/.github/workflows/build-test.yaml +++ b/.github/workflows/build-test.yaml @@ -40,13 +40,29 @@ jobs: pull-requests: read timeout-minutes: 5 steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -76,13 +92,29 @@ jobs: env: GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}" steps: - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: 'Clear Python dependency caches' env: REPO: "${{ github.repository }}" @@ -161,13 +193,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -190,13 +238,29 @@ jobs: timeout-minutes: 12 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -220,13 +284,29 @@ jobs: timeout-minutes: 10 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -247,13 +327,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -294,13 +390,29 @@ jobs: contents: read steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + - name: "Download SBOM artefact" # yamllint disable-line rule:line-length uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index faddfc7..11a2bf9 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -26,12 +26,28 @@ jobs: timeout-minutes: 3 steps: # Harden the runner used by this workflow - # yamllint disable-line rule:line-length - - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + # When the CONNECTION_WHITELIST repo/org variable is exposed + # to this run (i.e. not a fork PR), use it to enforce a + # block-mode egress policy. + - name: 'Harden runner (block egress with whitelist)' + if: ${{ vars.CONNECTION_WHITELIST != '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: egress-policy: 'block' allowed-endpoints: > ${{ vars.CONNECTION_WHITELIST }} + # Fallback for fork PRs and other contexts where the + # CONNECTION_WHITELIST variable is not exposed to the + # workflow. Audit-only mode logs all egress without + # blocking it so CI still runs. + - name: 'Harden runner (audit fallback, no whitelist available)' + if: ${{ vars.CONNECTION_WHITELIST == '' }} + # yamllint disable-line rule:line-length + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: 'audit' + # yamllint disable-line rule:line-length - uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7.3.0