From 2f0e32249608f1f2deab8113a8ca9a09f0ec9c73 Mon Sep 17 00:00:00 2001
From: Rohan Kumar <rohaan@redhat.com>
Date: Fri, 13 Jan 2023 19:15:50 +0530
Subject: [PATCH] ci : Modify Harden Runner action egress-policy to block

Harden Runner action seems to restrict outgoing traffic to only a
specific set of allowed endpoints.

Initial mode `audit` generates a report on https://app.stepsecurity.io/
that recommends what endpoints are accessed during workflow run.

Signed-off-by: Rohan Kumar <rohaan@redhat.com>
---
 .github/workflows/license.yml     |  8 +++++++-
 .github/workflows/quickstarts.yml | 19 ++++++++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
index e896b86125..3f616f12b9 100644
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -31,7 +31,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.adoptopenjdk.net:443
+            github.com:443
+            objects.githubusercontent.com:443
+            repo.maven.apache.org:443
 
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
diff --git a/.github/workflows/quickstarts.yml b/.github/workflows/quickstarts.yml
index b5cec20132..93b2370d71 100644
--- a/.github/workflows/quickstarts.yml
+++ b/.github/workflows/quickstarts.yml
@@ -31,7 +31,24 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@18bf8ad2ca49c14cbb28b91346d626ccfb00c518
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            access.redhat.com:443
+            api.adoptopenjdk.net:443
+            downloads.gradle-dn.com:443
+            github.com:443
+            jcenter.bintray.com:443
+            maven.repository.redhat.com:443
+            objects.githubusercontent.com:443
+            oss.sonatype.org:443
+            plugins-artifacts.gradle.org:443
+            plugins.gradle.org:443
+            repo.gradle.org:443
+            repo.maven.apache.org:443
+            repo1.maven.org:443
+            repository.jboss.org:443
+            services.gradle.org:443
 
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c