Block outbound calls from ci runners to unallowed endpoints

Author: spoorcc

.github/workflows/build.yml

@@ -22,10 +22,26 @@ jobs:
       security-events: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            packages.microsoft.com:443
+            azure.archive.ubuntu.com:80
+            esm.ubuntu.com:443
+            index.rubygems.org:443
+            rubygems.org:443
+            community.chocolatey.org:443
+            community.chocolatey.org:80
+            packages.chocolatey.org:443
+            api.nuget.org:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -207,10 +223,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
       uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
-        egress-policy: audit
+        egress-policy: block
+        allowed-endpoints: >+
+          github.com:443
+          api.github.com:443
+          release-assets.githubusercontent.com:443
+          pypi.org:443
+          files.pythonhosted.org:443
+
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:

.github/workflows/codeql-analysis.yml

@@ -34,10 +34,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
       uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
-        egress-policy: audit
+        egress-policy: block
+        allowed-endpoints: >+
+          github.com:443
+          api.github.com:443
+          release-assets.githubusercontent.com:443
 
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/dependency-review.yml

@@ -16,10 +16,13 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            api.github.com:443
+            github.com:443
 
       - name: 'Checkout Repository'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/devcontainer.yml

@@ -15,10 +15,36 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            _http._tcp.deb.debian.org:443
+            *.data.mcr.microsoft.com:443
+            api.github.com:443
+            auth.docker.io:443
+            containers.dev:443
+            deb.debian.org:443
+            deb.debian.org:80
+            debian.map.fastlydns.net:443
+            debian.map.fastlydns.net:80
+            dl.google.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            go.dev:443
+            index.rubygems.org:443
+            mcr.microsoft.com:443
+            nodejs.org:443
+            plantuml.com:443
+            plantuml.com:80
+            production.cloudflare.docker.com:443
+            proxy.golang.org:443
+            pypi.org:443
+            registry-1.docker.io:443
+            registry.npmjs.org:443
+            rubygems.org:443
+            storage.googleapis.com:443
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/docs.yml

@@ -16,10 +16,17 @@ jobs:
     name: Documentation
     runs-on: ubuntu-latest
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
       uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
-        egress-policy: audit
+        egress-policy: block
+        allowed-endpoints: >+
+          github.com:443
+          pypi.org:443
+          files.pythonhosted.org:443
+          plantuml.com:80
+          plantuml.com:443
+          www.plantuml.com:80
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
@@ -41,10 +48,17 @@ jobs:
     name: Landing page
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            plantuml.com:80
+            plantuml.com:443
+            www.plantuml.com:80
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -75,10 +89,26 @@ jobs:
     permissions:
       contents: write
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            _http._tcp.azure.archive.ubuntu.com:443
+            _https._tcp.archive.ubuntu.com:443
+            _https._tcp.security.ubuntu.com:443
+            archive.ubuntu.com:443
+            azure.archive.ubuntu.com:443
+            azure.archive.ubuntu.com:80
+            files.pythonhosted.org:443
+            github.com:443
+            api.github.com:443
+            uploads.github.com:443
+            plantuml.com:443
+            plantuml.com:80
+            pypi.org:443
+            security.ubuntu.com:443
+            www.plantuml.com:80
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/python-publish.yml

@@ -20,10 +20,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden the runner (Audit all outbound calls)
+    - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
       uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
       with:
-        egress-policy: audit
+        egress-policy: block
+        allowed-endpoints: >+
+          github.com:443
+          api.github.com:443
+          release-assets.githubusercontent.com:443
+          pypi.org:443
+          files.pythonhosted.org:443
 
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:

.github/workflows/release.yml

@@ -23,7 +23,12 @@ jobs:
     steps:
       - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            uploads.github.com:443
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:

.github/workflows/run.yml

@@ -15,10 +15,19 @@ jobs:
       security-events: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            release-assets.githubusercontent.com:443
+            pypi.org:443
+            files.pythonhosted.org:443
+            community.chocolatey.org:443
+            community.chocolatey.org:80
+            packages.chocolatey.org:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -73,10 +82,58 @@ jobs:
       security-events: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            _http._tcp.azure.archive.ubuntu.com:443
+            _https._tcp.archive.ubuntu.com:443
+            _https._tcp.dl.google.com:443
+            _https._tcp.esm.ubuntu.com:443
+            _https._tcp.motd.ubuntu.com:443
+            _https._tcp.packages.microsoft.com:443
+            _https._tcp.security.ubuntu.com:443
+            0.pool.ntp.org:443
+            api.apple-cloudkit.com:443
+            api.github.com:443
+            archive.ubuntu.com:443
+            azure.archive.ubuntu.com:443
+            azure.archive.ubuntu.com:80
+            cfhcable.dl.sourceforge.net:443
+            community.chocolatey.org:443
+            community.chocolatey.org:80
+            cytranet-dal.dl.sourceforge.net:443
+            dc.services.visualstudio.com:443
+            dl.google.com:443
+            downloads.sourceforge.net:443
+            esm.ubuntu.com:443
+            fe2cr.update.microsoft.com:443
+            files.pythonhosted.org:443
+            formulae.brew.sh:443
+            gdmf.apple.com:443
+            ghcr.io:443
+            gigenet.dl.sourceforge.net:443
+            github.com:443
+            init.itunes.apple.com:443
+            mask.icloud.com:443
+            mesu.apple.com:443
+            mirrors.ctan.org:443
+            mobile.events.data.microsoft.com:443
+            motd.ubuntu.com:443
+            netactuate.dl.sourceforge.net:443
+            ocsp.sectigo.com:80
+            ocsp2.apple.com:443
+            packages.chocolatey.org:443
+            packages.microsoft.com:443
+            pilotfiber.dl.sourceforge.net:443
+            pkg-containers.githubusercontent.com:443
+            psychz.dl.sourceforge.net:443
+            pypi.org:443
+            release-assets.githubusercontent.com:443
+            security.ubuntu.com:443
+            sourceforge.net:443
+            ziglang.org:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/scorecard.yml

@@ -26,10 +26,21 @@ jobs:
       id-token: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            raw.githubusercontent.com:443
+            codeload.github.com:443
+            uploads.github.com:443
+            api.osv.dev:443
+            www.bestpractices.dev:443
+            api.securityscorecards.dev:443
+            rekor.sigstore.dev:443
+            fulcio.sigstore.dev:443
 
       - name: "Checkout code"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/test.yml

@@ -10,10 +10,41 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          # dfetch.invalid and giiiiiidhub.com are intentionally invalid test
+          # domains used to verify network blocking/allowlist behaviour in the
+          # feature tests; they are never reachable from the runner.
+          allowed-endpoints: >+
+            _http._tcp.azure.archive.ubuntu.com:443
+            _https._tcp.archive.ubuntu.com:443
+            _https._tcp.dl.google.com:443
+            _https._tcp.esm.ubuntu.com:443
+            _https._tcp.motd.ubuntu.com:443
+            _https._tcp.packages.microsoft.com:443
+            _https._tcp.security.ubuntu.com:443
+            api.codacy.com:443
+            archive.ubuntu.com:443
+            artifacts.codacy.com:443
+            azure.archive.ubuntu.com:443
+            azure.archive.ubuntu.com:80
+            coverage.codacy.com:443
+            dfetch.invalid:443
+            dl.google.com:443
+            esm.ubuntu.com:443
+            files.pythonhosted.org:443
+            giiiiiidhub.com:443
+            github.com:22
+            github.com:443
+            motd.ubuntu.com:443
+            packages.microsoft.com:443
+            pypi.org:443
+            release-assets.githubusercontent.com:443
+            security.ubuntu.com:443
+            svn.code.sf.net:3690
+            svn.code.sf.net:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2