harden runners

hydrologie · Mar 12, 2024 · 6bf6c62 · 6bf6c62
1 parent 0130c05
commit 6bf6c62
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -44,6 +44,10 @@ jobs:
         python-version:
           - "3.x"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Set up Python${{ matrix.python-version }}
         uses: actions/setup-python@v5.0.0
@@ -70,6 +74,10 @@ jobs:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
         uses: mamba-org/setup-micromamba@v1
@@ -120,7 +128,21 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            ai4edataeuwest.blob.core.windows.net:443
+            cdn.proj.org:443
+            conda.anaconda.org:443
+            coveralls.io:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            planetarycomputer.microsoft.com:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            s3.us-east-2.wasabisys.com:443
+            s3.wasabisys.com:443
       - uses: actions/checkout@v4.1.1
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
         uses: mamba-org/setup-micromamba@v1.8.1
@@ -170,6 +192,10 @@ jobs:
       run:
         shell: bash -l {0}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Setup Conda (Micromamba) with Python${{ matrix.python-version }}
         uses: mamba-org/setup-micromamba@v1