[Actions] Updated .github/workflows/dependabot.yml

credfeto · Apr 7, 2024 · 59e6df7 · 59e6df7
1 parent 3981fc0
commit 59e6df7
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -20,6 +20,24 @@ jobs:
       - name: "Initialise Workspace"
         shell: bash
         run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
+
+      - name: "Harden Security"
+        uses: step-security/harden-runner@v2.7.0
+        with:
+          egress-policy: audit
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            codeload.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
       - name: "Rebase"
         uses: bbeesley/gha-auto-dependabot-rebase@v1.3.345
         env: