CI(harden-runner): Add audit fallback for fork PR runs

.github/workflows/autolabeler.yaml

@@ -50,12 +50,28 @@ jobs:
     timeout-minutes: 3
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: release-drafter/release-drafter/autolabeler@c2e2804cc59f45f57076a99af580d0fedb697927  # v7.3.0

.github/workflows/build-test-release.yaml

@@ -27,13 +27,29 @@ jobs:
       pull-requests: read
     timeout-minutes: 5
     steps:
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -60,13 +76,29 @@ jobs:
       tag: "${{ steps.tag-validate.outputs.tag_name }}"
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       - name: 'Checkout repository'
         # yamllint disable-line rule:line-length
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -128,13 +160,29 @@ jobs:
       GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
@@ -159,13 +207,29 @@ jobs:
     timeout-minutes: 12
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
@@ -188,13 +252,29 @@ jobs:
     timeout-minutes: 10
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
@@ -214,13 +294,29 @@ jobs:
       contents: read
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
@@ -260,13 +356,29 @@ jobs:
       contents: read
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       - name: "Download SBOM artefact"
         # yamllint disable-line rule:line-length
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
@@ -433,13 +545,29 @@ jobs:
     timeout-minutes: 5
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       - name: 'Test PyPI publishing'
         # yamllint disable-line rule:line-length
         uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23  # v0.1.6
@@ -462,13 +590,29 @@ jobs:
     timeout-minutes: 5
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       - name: 'PyPI release'
         # yamllint disable-line rule:line-length
         uses: lfreleng-actions/pypi-publish-action@f07400a2b57119f1ceac420f559803264b491f23  # v0.1.6
@@ -501,13 +645,29 @@ jobs:
       GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
@@ -541,13 +701,29 @@ jobs:
       release_url: "${{ steps.promote-release.outputs.release_url || steps.set-promoted-url.outputs.release_url }}"
     steps:
       # Harden the runner used by this workflow
-      # yamllint disable-line rule:line-length
-      - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+      # When the CONNECTION_WHITELIST repo/org variable is exposed
+      # to this run (i.e. not a fork PR), use it to enforce a
+      # block-mode egress policy.
+      - name: 'Harden runner (block egress with whitelist)'
+        if: ${{ vars.CONNECTION_WHITELIST != '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
         with:
           egress-policy: 'block'
           allowed-endpoints: >
             ${{ vars.CONNECTION_WHITELIST }}
 
+      # Fallback for fork PRs and other contexts where the
+      # CONNECTION_WHITELIST variable is not exposed to the
+      # workflow.  Audit-only mode logs all egress without
+      # blocking it so CI still runs.
+      - name: 'Harden runner (audit fallback, no whitelist available)'
+        if: ${{ vars.CONNECTION_WHITELIST == '' }}
+        # yamllint disable-line rule:line-length
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450  # v2.19.1
+        with:
+          egress-policy: 'audit'
+
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2