Skip to content

Commit

Permalink
chore(ci): Update harden-runner, set policy to block, restrict permis…
Browse files Browse the repository at this point in the history 
…sions (#297)

Follow up to #296 

This updates harden-runner and sets our policy to block anything that isn't the npm registry or github.
  • Loading branch information
@blaine-arcjet
blaine-arcjet authored Mar 4, 2024
1 parent cf9fe38 commit deaecaa
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 15 deletions.
56 changes: 44 additions & 12 deletions .github/workflows/reusable-examples.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,20 @@ jobs:
nextjs-13-pages-wrap:
name: Next.js 13 + Page Router + withArcjet
runs-on: ubuntu-latest
permissions:
contents: read
steps:
# Environment security
- name: Step Security
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
registry.npmjs.org:443
# Checkout
# Most toolchains require checkout first
Expand Down Expand Up @@ -76,12 +84,20 @@ jobs:
nextjs-14-app-dir-validate-email:
name: Next.js 14 + App Router + Validate Email
runs-on: ubuntu-latest
permissions:
contents: read
steps:
# Environment security
- name: Step Security
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
registry.npmjs.org:443
# Checkout
# Most toolchains require checkout first
Expand Down Expand Up @@ -110,12 +126,20 @@ jobs:
nextjs-14-openai:
name: Next.js 14 + OpenAI
runs-on: ubuntu-latest
permissions:
contents: read
steps:
# Environment security
- name: Step Security
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
registry.npmjs.org:443
# Checkout
# Most toolchains require checkout first
Expand Down Expand Up @@ -144,12 +168,20 @@ jobs:
nextjs-14-pages-wrap:
name: Next.js 14 + Page Router + withArcjet
runs-on: ubuntu-latest
permissions:
contents: read
steps:
# Environment security
- name: Step Security
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
registry.npmjs.org:443
# Checkout
# Most toolchains require checkout first
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/reusable-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,18 @@ jobs:
matrix:
node: [18, 20]
os: [ubuntu-latest]
permissions:
contents: read
steps:
# Environment security
- name: Step Security
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443
# Checkout
# Most toolchains require checkout first
Expand Down

0 comments on commit deaecaa

Please sign in to comment.