From 970289617181b63dafe1448b0a8b800ef4a9e91a Mon Sep 17 00:00:00 2001 From: irongut Date: Fri, 5 Aug 2022 23:22:13 +0100 Subject: [PATCH 1/4] implement stepsecurity policy for pm workflows #51 --- .github/workflows/assign-to-project.yml | 4 +++- .github/workflows/auto-assign-pr.yml | 4 +++- .github/workflows/mark-stale.yml | 4 +++- .github/workflows/pr-labeler.yml | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/assign-to-project.yml b/.github/workflows/assign-to-project.yml index 6742c26..295a84b 100644 --- a/.github/workflows/assign-to-project.yml +++ b/.github/workflows/assign-to-project.yml @@ -22,7 +22,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Assign Issues to Bugs uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435 diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml index 3231eef..d07ff17 100644 --- a/.github/workflows/auto-assign-pr.yml +++ b/.github/workflows/auto-assign-pr.yml @@ -15,7 +15,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Auto Assign PR uses: samspills/assign-pr-to-author@b313feb250ff414d3aff26525b986f080ee7bd7a diff --git a/.github/workflows/mark-stale.yml b/.github/workflows/mark-stale.yml index ea840c8..8f6864b 100644 --- a/.github/workflows/mark-stale.yml +++ b/.github/workflows/mark-stale.yml @@ -19,7 +19,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Mark Stale uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8 diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 1d21c53..f6494fa 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -21,7 +21,9 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935 with: From 59bf0ee52abfb8f36f4f3818513f66836f2b7190 Mon Sep 17 00:00:00 2001 From: irongut Date: Fri, 5 Aug 2022 23:22:45 +0100 Subject: [PATCH 2/4] implement stepsecurity policy for codeql workflow #51 --- .github/workflows/codeql-scan.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql-scan.yml b/.github/workflows/codeql-scan.yml index b419084..a0f4a05 100644 --- a/.github/workflows/codeql-scan.yml +++ b/.github/workflows/codeql-scan.yml @@ -15,6 +15,11 @@ on: permissions: # added using https://github.com/step-security/secure-workflows contents: read +env: + DOTNET_NOLOGO: true # Disable the .NET logo in the console output + DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build + DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft + jobs: analyze: name: Analyze @@ -34,7 +39,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.nuget.org:443 + dotnetbuilds.azureedge.net:443 + dotnetcli.azureedge.net:443 + dotnetcli.blob.core.windows.net:443 + github.com:443 + uploads.github.com:443 - name: Checkout repository uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 From 3216094ffb073b1e9d45cd5c973b2aef1091402c Mon Sep 17 00:00:00 2001 From: irongut Date: Fri, 5 Aug 2022 23:26:04 +0100 Subject: [PATCH 3/4] implement stepsecurity policy for ci build workflow #51 --- .github/workflows/ci-build.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index 87139e1..a37a0ee 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -9,6 +9,11 @@ on: permissions: contents: read +env: + DOTNET_NOLOGO: true # Disable the .NET logo in the console output + DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build + DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft + jobs: build: runs-on: ubuntu-latest @@ -18,7 +23,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.nuget.org:443 + dotnetbuilds.azureedge.net:443 + dotnetcli.azureedge.net:443 + dotnetcli.blob.core.windows.net:443 + github.com:443 - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf From 74295b4928f06d144929dcf9ddd337d93ddca24a Mon Sep 17 00:00:00 2001 From: irongut Date: Fri, 5 Aug 2022 23:47:41 +0100 Subject: [PATCH 4/4] implement stepsecurity policy for release workflow #51 --- .github/workflows/release-build.yml | 33 +++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 766f88e..793985d 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -4,13 +4,16 @@ on: release: types: [published] -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} - permissions: contents: read +env: + DOTNET_NOLOGO: true # Disable the .NET logo in the console output + DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true # Disable the .NET first time experience to skip caching NuGet packages and speed up the build + DOTNET_CLI_TELEMETRY_OPTOUT: true # Disable sending .NET CLI telemetry to Microsoft + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + jobs: build: name: Test Build @@ -20,7 +23,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.nuget.org:443 + dotnetbuilds.azureedge.net:443 + dotnetcli.azureedge.net:443 + dotnetcli.blob.core.windows.net:443 + github.com:443 - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf @@ -55,7 +64,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block + allowed-endpoints: > + api.github.com:443 + api.nuget.org:443 + auth.docker.io:443 + fulcio.sigstore.dev:443 + ghcr.io:443 + github.com:443 + mcr.microsoft.com:443 + pipelines.actions.githubusercontent.com:443 + pkg-containers.githubusercontent.com:443 + registry-1.docker.io:443 + storage.googleapis.com:443 - name: Checkout uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf