merge PR #62 Implement StepSecurity Secure Workflows (policy)

PR: Implement StepSecurity Secure Workflows (policy)
2026-05-14 14:10:14 +02:00 · 2022-08-05 23:57:50 +01:00
parent 7c7e56f29d 74295b4928
commit 84eac7e593
7 changed files with 65 additions and 12 deletions
@@ -22,7 +22,9 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443

    - name: Assign Issues to Bugs
      uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
@@ -15,7 +15,9 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443

    - name: Auto Assign PR
      uses: samspills/assign-pr-to-author@b313feb250ff414d3aff26525b986f080ee7bd7a
@@ -9,6 +9,11 @@ on:
 permissions:
  contents: read

+env:
+  DOTNET_NOLOGO: true                     # Disable the .NET logo in the console output
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
+  DOTNET_CLI_TELEMETRY_OPTOUT: true       # Disable sending .NET CLI telemetry to Microsoft
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -18,7 +23,13 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.nuget.org:443
+          dotnetbuilds.azureedge.net:443
+          dotnetcli.azureedge.net:443
+          dotnetcli.blob.core.windows.net:443
+          github.com:443

    - name: Checkout
      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
@@ -15,6 +15,11 @@ on:
 permissions:  # added using https://github.com/step-security/secure-workflows
  contents: read

+env:
+  DOTNET_NOLOGO: true                     # Disable the .NET logo in the console output
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
+  DOTNET_CLI_TELEMETRY_OPTOUT: true       # Disable sending .NET CLI telemetry to Microsoft
+
 jobs:
  analyze:
    name: Analyze
@@ -34,7 +39,15 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          api.nuget.org:443
+          dotnetbuilds.azureedge.net:443
+          dotnetcli.azureedge.net:443
+          dotnetcli.blob.core.windows.net:443
+          github.com:443
+          uploads.github.com:443

    - name: Checkout repository
      uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
@@ -19,7 +19,9 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443

    - name: Mark Stale
      uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8
@@ -21,7 +21,9 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443

    - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
      with:
@@ -4,13 +4,16 @@ on:
  release:
    types: [published]

-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
 permissions:
  contents: read

+env:
+  DOTNET_NOLOGO: true                     # Disable the .NET logo in the console output
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build
+  DOTNET_CLI_TELEMETRY_OPTOUT: true       # Disable sending .NET CLI telemetry to Microsoft
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
  build:
    name: Test Build
@@ -20,7 +23,13 @@ jobs:
    - name: Harden Runner
      uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
      with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.nuget.org:443
+          dotnetbuilds.azureedge.net:443
+          dotnetcli.azureedge.net:443
+          dotnetcli.blob.core.windows.net:443
+          github.com:443

    - name: Checkout
      uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
@@ -55,7 +64,19 @@ jobs:
      - name: Harden Runner
        uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.nuget.org:443
+            auth.docker.io:443
+            fulcio.sigstore.dev:443
+            ghcr.io:443
+            github.com:443
+            mcr.microsoft.com:443
+            pipelines.actions.githubusercontent.com:443
+            pkg-containers.githubusercontent.com:443
+            registry-1.docker.io:443
+            storage.googleapis.com:443

      - name: Checkout
        uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf