diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d7e93356..030fb929 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -335,7 +335,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e6c1c150..f70665a8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,7 +35,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 51a3f236..e9bbe3d8 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml index 45b87e89..7aff91d7 100644 --- a/.github/workflows/devcontainer.yml +++ b/.github/workflows/devcontainer.yml @@ -16,7 +16,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index ea1bcd24..65077d06 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -53,7 +53,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -97,7 +97,7 @@ jobs: contents: write steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index c7196350..1933310c 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -25,7 +25,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ab644a3..c8c3639a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: release_id: ${{ steps.release_info.outputs.tag }} steps: - - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + - uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 6f10b053..cdad3d26 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -16,7 +16,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -28,6 +28,16 @@ jobs: community.chocolatey.org:443 community.chocolatey.org:80 packages.chocolatey.org:443 + cygwin.com:443 + mirrors.kernel.org:443 + *.c.lencr.org:443 + *.c.lencr.org:80 + *.dl.sourceforge.net:443 + downloads.sourceforge.net:443 + sourceforge.net:443 + svn.code.sf.net:443 + svn.code.sf.net:3690 + ziglang.org:443 - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: @@ -130,9 +140,11 @@ jobs: allowed-endpoints: >+ _https._tcp.packages.microsoft.com:443 api.github.com:443 + *.dl.sourceforge.net:443 community.chocolatey.org:443 community.chocolatey.org:80 dc.services.visualstudio.com:443 + downloads.sourceforge.net:443 fe2cr.update.microsoft.com:443 files.pythonhosted.org:443 github.com:443 @@ -141,6 +153,7 @@ jobs: packages.microsoft.com:443 pypi.org:443 release-assets.githubusercontent.com:443 + sourceforge.net:443 ziglang.org:443 runs-on: ${{ matrix.platform }} permissions: @@ -149,7 +162,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: ${{ matrix.allowed-endpoints }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2a062c9d..aeb60a58 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml index 1c7edf76..b9e873d2 100644 --- a/.github/workflows/source-provenance.yml +++ b/.github/workflows/source-provenance.yml @@ -21,7 +21,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ @@ -55,7 +55,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+ diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8f9c9826..c2b69ec4 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: id-token: write steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block # dfetch.invalid and giiiiiidhub.com are intentionally invalid test diff --git a/.github/workflows/winget-publish.yml b/.github/workflows/winget-publish.yml index 052399e7..e0c2a21a 100644 --- a/.github/workflows/winget-publish.yml +++ b/.github/workflows/winget-publish.yml @@ -32,7 +32,7 @@ jobs: steps: - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)" - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: >+