sarg3nt · sarg3nt · Oct 31, 2024 · Oct 30, 2024 · Oct 31, 2024 · Oct 31, 2024
@@ -20,7 +20,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
 
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

@@ -28,8 +28,8 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
+          disable-sudo: true
           egress-policy: audit
-
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -79,7 +79,7 @@ jobs:
         id: create_release
         uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5
         with:
-          body: "A Weekly release contianing upgrades to system packages in the base Rocker Linux container."
+          body: "A Weekly release contianing upgrades to system packages in the base Rocky Linux container."
           makeLatest: true
           prerelease: false
           tag: ${{ env.VERSION }}
@@ -96,6 +96,4 @@ jobs:
         uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
         with:
           push: true
-          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
-        env: 
-          GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          tags: ${{ env.TAG_MAJOR }},${{ env.TAG_MINOR }},${{ env.TAG_PATCH }},${{ env.TAG_LATEST }}
@@ -24,52 +24,7 @@ jobs:
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
           disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            auth.docker.io:443
-            cdn.dl.k8s.io:443
-            codecs.fedoraproject.org:443
-            distro.ibiblio.org:80
-            dl.google.com:443
-            dl.k8s.io:443
-            download.docker.com:443
-            epel.mirror.shastacoe.net:443
-            ftp-nyc.osuosl.org:443
-            ftp.agdsn.de:80
-            ftp.fau.de:80
-            ftp.halifax.rwth-aachen.de:443
-            ftp.plusline.net:443
-            get.helm.sh:443
-            ghcr.io:443
-            github.com:443
-            gitlab.com:443
-            mirror.chpc.utah.edu:80
-            mirror.informatik.hs-fulda.de:443
-            mirror.rnet.missouri.edu:80
-            mirror.siena.edu:80
-            mirror1.hs-esslingen.de:443
-            mirrors.fedoraproject.org:443
-            mirrors.rit.edu:80
-            mirrors.rockylinux.org:443
-            mirrors.xtom.de:80
-            mise-versions.jdx.dev:80
-            mise.jdx.dev:80
-            objects.githubusercontent.com:443
-            ohioix.mm.fcix.net:80
-            pkg-containers.githubusercontent.com:443
-            production.cloudflare.docker.com:443
-            proxy.golang.org:443
-            raw.githubusercontent.com:443
-            registry-1.docker.io:443
-            repo.ialab.dsu.edu:80
-            rocky-linux-europe-west3.production.gcp.mirrors.ctrliq.cloud:443
-            rocky.mirror.shastacoe.net:443
-            sftp.hpc.fau.edu:443
-            sum.golang.org:443
-            us.mirrors.cicku.me:443
-            volico.mm.fcix.net:80
-
+          egress-policy: audit
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
@@ -99,6 +54,4 @@ jobs:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-        env:  
-          GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          labels: ${{ steps.meta.outputs.labels }}
@@ -34,7 +34,19 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.osv.dev:443
+            api.scorecard.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
 
       - name: "Checkout code"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

@@ -33,8 +33,8 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
         with:
+          disable-sudo: true
           egress-policy: audit
-
       - name: Log into registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 
         with:
@@ -50,8 +50,6 @@ jobs:
         with:
           push: false
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-        env: 
-          GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2