From 970289617181b63dafe1448b0a8b800ef4a9e91a Mon Sep 17 00:00:00 2001
From: irongut <murray.dave@outlook.com>
Date: Fri, 5 Aug 2022 23:22:13 +0100
Subject: [PATCH] implement stepsecurity policy for pm workflows #51

---
 .github/workflows/assign-to-project.yml | 4 +++-
 .github/workflows/auto-assign-pr.yml    | 4 +++-
 .github/workflows/mark-stale.yml        | 4 +++-
 .github/workflows/pr-labeler.yml        | 4 +++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/assign-to-project.yml b/.github/workflows/assign-to-project.yml
index 6742c26..295a84b 100644
--- a/.github/workflows/assign-to-project.yml
+++ b/.github/workflows/assign-to-project.yml
@@ -22,7 +22,9 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
 
     - name: Assign Issues to Bugs
       uses: srggrs/assign-one-project-github-action@4d59cc619499b55ca689fb13cfcc72324a8b8435
diff --git a/.github/workflows/auto-assign-pr.yml b/.github/workflows/auto-assign-pr.yml
index 3231eef..d07ff17 100644
--- a/.github/workflows/auto-assign-pr.yml
+++ b/.github/workflows/auto-assign-pr.yml
@@ -15,7 +15,9 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
 
     - name: Auto Assign PR
       uses: samspills/assign-pr-to-author@b313feb250ff414d3aff26525b986f080ee7bd7a
diff --git a/.github/workflows/mark-stale.yml b/.github/workflows/mark-stale.yml
index ea840c8..8f6864b 100644
--- a/.github/workflows/mark-stale.yml
+++ b/.github/workflows/mark-stale.yml
@@ -19,7 +19,9 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
 
     - name: Mark Stale
       uses: actions/stale@9c1b1c6e115ca2af09755448e0dbba24e5061cc8
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 1d21c53..f6494fa 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -21,7 +21,9 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
 
     - uses: actions/labeler@472c5d3aaacde439785e94966eb2e545627f4935
       with: