Add hardened runner config for cacert publish workflow (#884)

adoptium · Apr 26, 2024 · 630493b · 630493b
1 parent 1f25c81
commit 630493b
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/.github/workflows/cacert-publish.yml b/.github/workflows/cacert-publish.yml
@@ -22,7 +22,20 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            adoptium.jfrog.io:443
+            api.github.com:443
+            auth.docker.io:443
+            deb.debian.org:80
+            github.com:443
+            objects.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            releases-cdn.jfrog.io:443
+            releases.jfrog.io:443
+            services.gradle.org:443
 
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4