From 3715fa4cd490d77b4149ba17b1b2145393af049b Mon Sep 17 00:00:00 2001
From: Richard Zak <richard.j.zak@gmail.com>
Date: Sat, 23 Dec 2023 19:35:54 -0500
Subject: [PATCH] ci: harden CI

Signed-off-by: Richard Zak <richard.j.zak@gmail.com>
---
 .github/workflows/commisery.yml | 5 ++++-
 .github/workflows/dco.yml       | 5 ++++-
 .github/workflows/lint.yml      | 8 +++++++-
 .github/workflows/test.yml      | 8 +++++++-
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/commisery.yml b/.github/workflows/commisery.yml
index cea9cfc..d3d3536 100644
--- a/.github/workflows/commisery.yml
+++ b/.github/workflows/commisery.yml
@@ -24,7 +24,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - name: Run Commisery
         uses: tomtom-international/commisery-action@33eb2d6e7dfc53e6d3d09ea20c639b8858f75021 # v2.19.3
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
index bebaca8..386a02a 100644
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@@ -9,6 +9,9 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
 
       - uses: tisonkun/actions-dco@f1024cd563550b5632e754df11b7d30b73be54a5 # v1.1
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 4862867..4cc0c4a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,7 +10,13 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1589749..7700f81 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -10,7 +10,13 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
-        egress-policy: audit
+        disable-sudo: true
+        egress-policy: block
+        allowed-endpoints: >
+          crates.io:443
+          github.com:443
+          index.crates.io:443
+          static.crates.io:443
 
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Rust toolchain