Skip to content

Commit 5897585

Browse files
authored
fix: allowed domain (#294)
1 parent 2493688 commit 5897585

2 files changed

Lines changed: 7 additions & 10 deletions

File tree

.github/workflows/docker-build-and-push.yml

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ on:
6565
jobs:
6666
build-and-push-image:
6767
permissions:
68+
artifact-metadata: write
6869
attestations: write
6970
contents: read
7071
id-token: write
@@ -81,24 +82,18 @@ jobs:
8182
disable-sudo: ${{ inputs.disable-sudo }}
8283
egress-policy: block
8384
allowed-endpoints: >
85+
*.docker.io:443
8486
*.githubapp.com:443
87+
*.githubusercontent.com:443
88+
*.sigstore.dev:443
8589
*.trivy.dev:443
8690
api.github.com:443
87-
auth.docker.io:443
91+
docker-images-prod.*.r2.cloudflarestorage.com:443
8892
download.docker.com:443
89-
fulcio.sigstore.dev:443
9093
ghcr.io:443
9194
github.com:443
92-
index.docker.io:443
9395
mirror.gcr.io:443
94-
objects.githubusercontent.com:443
95-
pkg-containers.githubusercontent.com:443
9696
production.cloudflare.docker.com:443
97-
raw.githubusercontent.com:443
98-
registry-1.docker.io:443
99-
rekor.sigstore.dev:443
100-
release-assets.githubusercontent.com:443
101-
tuf-repo-cdn.sigstore.dev:443
10297
${{ inputs.egress-policy-allowlist }}
10398
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
10499
with:
@@ -157,6 +152,7 @@ jobs:
157152
subject-name: ${{ inputs.registry }}/${{ inputs.image }}
158153
subject-digest: ${{ steps.build.outputs.digest }}
159154
push-to-registry: true
155+
create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }}
160156
- name: Run Trivy Scan
161157
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
162158
if: inputs.scan-image

.github/workflows/local-auto-tagger-docker-bp.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ on:
88
jobs:
99
build-push-docker-image:
1010
permissions:
11+
artifact-metadata: write
1112
attestations: write
1213
contents: read
1314
id-token: write

0 commit comments

Comments
 (0)