ci: enforce egress allow-list on jobs that consume HF_TOKEN#1475
Closed
adobrzyn wants to merge 1 commit into
Closed
ci: enforce egress allow-list on jobs that consume HF_TOKEN#1475adobrzyn wants to merge 1 commit into
adobrzyn wants to merge 1 commit into
Conversation
Adds 'step-security/harden-runner@v2.19.3' (SHA-pinned) as the first
step of every CI job that consumes secrets.HF_TOKEN, configured with
'egress-policy: block' and a curated allow-list of endpoints that the
current build + test pipeline actually needs.
Allow-list (derived from reading .github/Dockerfile.ci, the workflow
files, and tests/full_tests/ci_e2e_discoverable_tests.sh):
GitHub Actions infrastructure:
api.github.com, github.com, codeload.github.com,
objects.githubusercontent.com, raw.githubusercontent.com,
release-assets.githubusercontent.com,
*.actions.githubusercontent.com,
results-receiver.actions.githubusercontent.com,
ghcr.io, pkg-containers.githubusercontent.com,
*.blob.core.windows.net (cache / artifacts)
Docker base image (build phase):
vault.habana.ai (Habana Gaudi base)
Python packages (build + test phase):
pypi.org, files.pythonhosted.org,
download.pytorch.org (torchaudio CPU wheel)
Model weights (test phase):
huggingface.co, cdn-lfs.huggingface.co, cdn-lfs.hf.co,
cdn-lfs-us-1.hf.co, cas-bridge.xethub.hf.co, xet-lfs-us-1.hf.co
Because every test container is launched with '--network=host', the
host-level eBPF filter installed by harden-runner sees and enforces
on the container's traffic — no per-container instrumentation needed.
This is defense-in-depth, layered on top of:
- pre-merge-trigger approval gate (vllm-project#1471)
- approved-workflow environment for HF_TOKEN (vllm-project#1473)
Together these three changes mean a planted payload in a PR cannot:
1. run at all without maintainer approval (vllm-project#1471)
2. receive HF_TOKEN without environment approval (vllm-project#1473)
3. exfiltrate to an attacker-controlled host (this PR)
If anything legitimate gets blocked, the harden-runner check run
will identify the host that was denied; we add it to the allow-list
in a follow-up.
Affected jobs (15 - same set as vllm-project#1473):
pre-merge.yaml: hpu_unit_tests, hpu_pd_tests, hpu_perf_tests,
hpu_dp_tests, e2e, calibration_tests
hourly-ci.yaml: run_unit_tests, e2e, run_data_parallel_test,
run_pd_disaggregate_test
create-release-branch: run_unit_tests, e2e, run_data_parallel_test,
run_pd_disaggregate_test, run_hpu_perf_tests
Signed-off-by: Agata Dobrzyniewicz <adobrzyniewicz@habana.ai>
adobrzyn
requested review from
PatrykWo,
afierka-intel,
iboiko-habana,
jbyczkow,
kamil-kaczor,
ksmusz,
mgawarkiewicz-intel,
michalkuligowski and
xuechendi
as code owners
adobrzyn
requested a deployment
to
pre-merge-approval
GitHub Actions
Waiting
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens CI jobs that consume secrets.HF_TOKEN by adding step-security/harden-runner as the first step in each such job, enforcing an egress-deny-by-default policy with an explicit endpoint allow-list to reduce secret exfiltration risk.
Changes:
- Add
step-security/harden-runner@v2.19.3(SHA-pinned) to HF_TOKEN-consuming jobs in CI workflows. - Configure
egress-policy: blockwith an endpoint allow-list covering GitHub Actions infra, package installs, and Hugging Face model downloads. - Apply the same hardening pattern across pre-merge, hourly CI, and release-branch CI jobs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/pre-merge.yaml | Adds harden-runner egress blocking + allow-list to HF_TOKEN-consuming pre-merge test jobs. |
| .github/workflows/hourly-ci.yaml | Adds harden-runner egress blocking + allow-list to HF_TOKEN-consuming hourly test jobs. |
| .github/workflows/create-release-branch.yaml | Adds harden-runner egress blocking + allow-list to HF_TOKEN-consuming release-branch test jobs. |
| results-receiver.actions.githubusercontent.com:443 | ||
| ghcr.io:443 | ||
| pkg-containers.githubusercontent.com:443 | ||
| *.blob.core.windows.net:443 |
Comment on lines
+366
to
+372
| - name: Harden runner (egress block) | ||
| uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 | ||
| with: | ||
| egress-policy: block | ||
| disable-sudo: false | ||
| allowed-endpoints: > | ||
| api.github.com:443 |
| results-receiver.actions.githubusercontent.com:443 | ||
| ghcr.io:443 | ||
| pkg-containers.githubusercontent.com:443 | ||
| *.blob.core.windows.net:443 |
Comment on lines
+105
to
+111
| - name: Harden runner (egress block) | ||
| uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 | ||
| with: | ||
| egress-policy: block | ||
| disable-sudo: false | ||
| allowed-endpoints: > | ||
| api.github.com:443 |
| results-receiver.actions.githubusercontent.com:443 | ||
| ghcr.io:443 | ||
| pkg-containers.githubusercontent.com:443 | ||
| *.blob.core.windows.net:443 |
Comment on lines
+168
to
+174
| - name: Harden runner (egress block) | ||
| uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 | ||
| with: | ||
| egress-policy: block | ||
| disable-sudo: false | ||
| allowed-endpoints: > | ||
| api.github.com:443 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
step-security/harden-runner@v2.19.3(SHA-pinned) as the first step of every CI job that consumessecrets.HF_TOKEN, configured withegress-policy: blockand a curated allow-list of endpoints that the current build + test pipeline actually needs.Why
Even with #1471 (pre-merge approval gate) and #1473 (
approved-workflowenvironment forHF_TOKEN), a planted payload that activates inside a trusted job today has unrestricted egress.Layered together, these three PRs mean a planted payload in a PR cannot:
HF_TOKENwithout environment approval — ci: route HF_TOKEN-using jobs through approved-workflow environment #1473Allow-list (derived from code, not collected from runs)
Walked through
.github/Dockerfile.ci, the three workflow YAMLs, andtests/full_tests/ci_e2e_discoverable_tests.sh:api.github.com,github.com,codeload.github.com,objects.githubusercontent.com,raw.githubusercontent.com,release-assets.githubusercontent.com,*.actions.githubusercontent.com,results-receiver.actions.githubusercontent.com,ghcr.io,pkg-containers.githubusercontent.com,*.blob.core.windows.netvault.habana.aipypi.org,files.pythonhosted.org,download.pytorch.orghuggingface.co,cdn-lfs.huggingface.co,cdn-lfs.hf.co,cdn-lfs-us-1.hf.co,cas-bridge.xethub.hf.co,xet-lfs-us-1.hf.coIf something legitimate gets blocked, the harden-runner check-run identifies the denied host and we add it in a follow-up one-liner.
How it covers the docker containers
Every test container is launched with
--network=host, so the eBPF filter installed by harden-runner on the runner host sees and enforces on the container's outbound traffic — no per-container instrumentation needed.Affected jobs (15 — same set as #1473)
pre-merge.yamlhpu_unit_tests,hpu_pd_tests,hpu_perf_tests,hpu_dp_tests,e2e,calibration_testshourly-ci.yamlrun_unit_tests,e2e,run_data_parallel_test,run_pd_disaggregate_testcreate-release-branch.yamlrun_unit_tests,e2e,run_data_parallel_test,run_pd_disaggregate_test,run_hpu_perf_testsSnippet inserted (identical in every job)
Self-hosted runner notes
harden-runnerinstalls a small monitoring agent on the runner host. Requiressudo(already available onpr-ci/hourly-cipools).disable-sudo: falseis kept because some CI steps needdockervia group/sudo.--privilegedflag on test containers means a sufficiently sophisticated payload could try to tamper with the host firewall from inside the container. This is a residual risk; closing it would require moving the harden-runner step inside the container or dropping--privileged. Out of scope here.