From 8545c0d57d75411d2e235564bc303f5af497977e Mon Sep 17 00:00:00 2001 From: Evan Porter Date: Thu, 19 Feb 2026 01:16:12 +0000 Subject: [PATCH 1/3] Change dependency-review egress-policy from audit to block Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index d1c6ef58..8db0112a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: - egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + egress-policy: block - name: 'Checkout Repository' uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 From b7f6110ff7ec95a336aae52f19223f04023eeb3a Mon Sep 17 00:00:00 2001 From: Evan Porter Date: Thu, 19 Feb 2026 01:21:34 +0000 Subject: [PATCH 2/3] This workflow needs access to github.com --- .github/workflows/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8db0112a..8411ad81 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,6 +18,8 @@ jobs: uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 with: egress-policy: block + allowed-endpoints: > + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 From 1bc7234e2e516e5969526ba822d6d01c27106d15 Mon Sep 17 00:00:00 2001 From: Evan Porter Date: Thu, 19 Feb 2026 01:26:46 +0000 Subject: [PATCH 3/3] Apparently this is used by checkout code too --- .github/workflows/dependency-review.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 8411ad81..5eee8252 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -20,6 +20,7 @@ jobs: egress-policy: block allowed-endpoints: > github.com:443 + 54.185.253.63:443 - name: 'Checkout Repository' uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1