feat(harden-runner): move to inline block policies (#636)

egibs · web-flow · commit 42f65a4495aa · 2026-03-26T11:14:14.000-07:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -22,7 +22,12 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            *.blob.core.windows.net:443
+            *.githubapp.com:443
+            api.github.com:443
+            github.com:443
 
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/digestabot.yaml b/.github/workflows/digestabot.yaml
@@ -21,7 +21,20 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            *.blob.core.windows.net:443
+            *.githubapp.com:443
+            api.github.com:443
+            cgr.dev:443
+            fulcio.sigstore.dev:443
+            gcr.io:443
+            ghcr.io:443
+            github.com:443
+            octo-sts.dev:443
+            rekor.sigstore.dev:443
+            release-assets.githubusercontent.com:443
+            tuf-repo-cdn.sigstore.dev:443
 
       - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts
