Merge c3a6221 into 00bc0f0

SolidInvoice · May 29, 2023 · e64a652 · e64a652
2 parents 00bc0f0 + c3a6221
commit e64a652
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 153 deletions.
diff --git a/.github/workflows/automatic-release.yml b/.github/workflows/automatic-release.yml
@@ -12,9 +12,22 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
+            ppa.launchpadcontent.net:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            registry.yarnpkg.com:443
+            security.ubuntu.com:80
+            uploads.github.com:443
 
       - name: Checkout
         uses: "actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f"

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,10 +1,7 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches: [ 2.2.x ]
   pull_request:
-    branches: [ 2.2.x ]
   schedule:
     - cron: '26 23 * * 2'
 
@@ -27,9 +24,13 @@ jobs:
 
     steps:
     - name: Harden Runner
-      uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+      uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
       with:
-        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          api.github.com:443
+          github.com:443
 
     - name: Checkout repository
       uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
@@ -50,21 +51,38 @@ jobs:
       actions: read  # for github/codeql-action/init to get workflow details
       contents: read  # for actions/checkout to fetch code
       security-events: write  # for github/codeql-action/autobuild to send a status report
-    
+
     name: Qodana
     runs-on: ubuntu-latest
-    
+
     steps:
-
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.qodana.cloud:443
+            github.com:443
+            objects.githubusercontent.com:443
+            prod.fus.aws.intellij.net:443
+            production.cloudflare.docker.com:443
+            qc-results-prod.s3.eu-west-1.amazonaws.com:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            auth.docker.io:443
+            registry.npmjs.org:443
+            resources.jetbrains.com:443
+            schemastore.org:443
 
       - name: Checkout repository
         uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
 
       - name: 'Qodana Scan'
-        uses: JetBrains/qodana-action@main
+        uses: JetBrains/qodana-action@61b94e7e3a716dcb9e2030cfd79cd46149d56c26
         env:
           QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
+
+      - uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d
+        with:
+          sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
diff --git a/.github/workflows/cs.yml b/.github/workflows/cs.yml
@@ -13,9 +13,14 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
 
       - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
 
@@ -50,9 +55,16 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
+            raw.githubusercontent.com:443
+            repo.packagist.org:443
 
       - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
 
@@ -80,9 +92,14 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            registry.yarnpkg.com:443
 
       - name: Checkout Code
         uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/security-checker.yml b/.github/workflows/security-checker.yml
@@ -10,9 +10,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
 
       - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
       - uses: symfonycorp/security-checker-action@258311ef7ac571f1310780ef3d79fc5abef642b5

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -14,9 +14,14 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
 
       - name: Checkout
         uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
@@ -48,23 +53,3 @@ jobs:
 
       - name: Run PHPStan
         run: bin/phpstan analyse -c phpstan.test.neon
-
-  qodana:
-    name: Qodana
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
-        with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f
-
-      - name: 'Qodana Scan'
-        uses: JetBrains/qodana-action@7afb26c0c2f325c0d5c21ea1f617c79c7f899337
-
-      - uses: github/codeql-action/upload-sarif@67a35a08586135a9573f4327e904ecbf517a882d
-        with:
-          sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json
diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml
@@ -46,9 +46,21 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            chromedriver.storage.googleapis.com:443
+            codecov.io:443
+            coveralls.io:443
+            github.com:443
+            objects.githubusercontent.com:443
+            packagist.org:443
+            registry.yarnpkg.com:443
+            repo.packagist.org:443
+            storage.googleapis.com:443
+            uploader.codecov.io:443
 
       - name: Checkout
         uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f