diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 766f88e..793985d 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -4,13 +4,16 @@ on: release: types: [published] -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - permissions: contents: read +env: + DOTNET_NOLOGO: true # Disable the .NET logo in the console output + DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build + DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: name: Test Build @@ -20,7 +23,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.nuget.org:443 + dotnetbuilds.azureedge.net:443 + dotnetcli.azureedge.net:443 + dotnetcli.blob.core.windows.net:443 + github.com:443 - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf @@ -55,7 +64,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.nuget.org:443 + auth.docker.io:443 + fulcio.sigstore.dev:443 + ghcr.io:443 + github.com:443 + mcr.microsoft.com:443 + pipelines.actions.githubusercontent.com:443 + pkg-containers.githubusercontent.com:443 + registry-1.docker.io:443 + storage.googleapis.com:443 - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf