diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ce495de..43208451 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -72,7 +72,7 @@ jobs: - windows-11-arm steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -87,7 +87,9 @@ jobs: ports.ubuntu.com:80 proxy.golang.org:443 release-assets.githubusercontent.com:443 + security.ubuntu.com:80 storage.googleapis.com:443 + us-west-2.ec2.archive.ubuntu.com:80 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: @@ -212,7 +214,7 @@ jobs: --health-retries 5 steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -254,7 +256,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -288,7 +290,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -321,7 +323,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -352,7 +354,7 @@ jobs: runs-on: blacksmith-2vcpu-ubuntu-2404 steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -368,7 +370,7 @@ jobs: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: lts/* @@ -388,14 +390,20 @@ jobs: build_tags: ["", "selfhosted"] steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block disable-telemetry: true + # The two r2.cloudflarestorage.com entries are Docker Hub's + # R2 buckets (layers and images). The hashed subdomains are + # Docker Inc's Cloudflare account IDs -- stable per-account + # but not self-describing; update if Docker Hub reshards. allowed-endpoints: > + 1ede90a8395416f286ba9f692dc6bacf.r2.cloudflarestorage.com:443 api.github.com:443 auth.docker.io:443 + docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443 github.com:443 gcr.io:443 production.cloudflare.docker.com:443 @@ -426,7 +434,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 39ec2855..4be8c67a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -61,7 +61,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -106,7 +106,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -143,7 +143,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -180,7 +180,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -189,7 +189,9 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + go.dev:443 proxy.golang.org:443 + release-assets.githubusercontent.com:443 storage.googleapis.com:443 sum.golang.org:443 @@ -211,7 +213,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index a85f2f9f..ef101936 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -31,7 +31,7 @@ jobs: url: ${{ steps.deployment.outputs.page_url }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1518240..e7b3e48f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: audit diff --git a/.github/workflows/scheduled-release.yml b/.github/workflows/scheduled-release.yml index dbe0b3e7..ce8a5232 100644 --- a/.github/workflows/scheduled-release.yml +++ b/.github/workflows/scheduled-release.yml @@ -24,7 +24,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: audit @@ -71,7 +71,7 @@ jobs: map("::error::\(.name) is \(.conclusion // "none"), expected success") | .[] | halt_error(1) else true end' - - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: lts/* diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 5a8298c4..e654670c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,7 +21,7 @@ jobs: ci: ${{ steps.detect.outputs.ci }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -59,7 +59,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -94,7 +94,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -133,7 +133,7 @@ jobs: cancel-in-progress: ${{ github.event_name == 'pull_request' }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -167,7 +167,7 @@ jobs: CGO_ENABLED: "0" steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -207,7 +207,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: egress-policy: block disable-telemetry: true diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml index 472c1792..b988826d 100644 --- a/.github/workflows/update-vendor-hash.yml +++ b/.github/workflows/update-vendor-hash.yml @@ -22,7 +22,7 @@ jobs: needed: ${{ steps.check.outputs.needed }} steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block @@ -60,7 +60,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@6c3c2f2c1c457b00c10c4848d6f5491db3b629df # v2.18.0 + uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 with: deploy-on-self-hosted-vm: true egress-policy: block