Enable setting allowed-endpoints via insights website

[varunsh-coder]

Currently, the allowed-endpoints are set in the workflow file. For workflows where the endpoints might often change, e.g., re-usable workflows, it would be better to enable setting allowed-endpoints using the insights website.

This will remove the need to update the workflow file to set allowed endpoints.

[varunsh-coder]

Proposed developer experience

1. The developer starts by setting harden runner in audit mode
2. The workflow runs, and insights are generated
3. On the insight page, the developer looks at the recommended policy. This is currently shown in a code editor, and the policy can be set in the workflow. This will remain as-is.
4. In addition, the insights page will have a button to Set up a policy using API.
5. The developer will click this button to create a policy for the workflow.
6. The developer will choose a name/ identifier for the policy and click the “Save” button to save the policy.
7. The developer can now use this policy in the harden runner config in a job by referring to the policy with its name/ identifier.

steps:
  - uses: step-security/harden-runner@v2
    with:
      policy: my-policy

8. The workflow will run again. Harden runner knows it must fetch policy from API using the given name.
9. Harden Runner will fetch the policy and merge it with the local policy, giving local policy preference. This means if a job has declared allowed endpoints in the workflow, they will take preference over the policy.
10. If an endpoint is blocked, harden runner will send a notification and show the policy page for the given policy and allow the developer to add the new endpoint to the policy.
11. The developer will save the policy to add the new endpoint.
12. The workflow will run again, and harden runner will fetch the updated policy with the new allowed endpoint, and the workflow will work fine.

[varunsh-coder]

/cc @Devils-Knight

[varunsh-coder]

@h0x0er please make changes to the fetch policy from API. For the time being, you can mock the API call.

[varunsh-coder]

@h0x0er the plan is that harden-runner should use id-token to call the insights API to fetch the policy.

You can re-use code from here for that. It shows how to get the token and send to the API.
We should show an error and fail the job if the token cannot be fetched.

[varunsh-coder]

@h0x0er we need to add retry logic for the code that fetches the policy. We can wait for a second between each retry and try 3 times. We should not get the token again. The token should be generated just once and used for the retry logic.

We should log something like Fetching policy from API with name: <policy>

[varunsh-coder]

This has been released. https://www.stepsecurity.io/blog/introducing-harden-runner-policy-store

Great work @h0x0er!

Closing the issue.