Skip to content

Commit 390e5be

Browse files
author
tylertitsworth
committed
optimize and update labels
Signed-off-by: tylertitsworth <tyler.titsworth@intel.com>
1 parent 7fee6d5 commit 390e5be

11 files changed

+65
-27
lines changed

.github/workflows/apptainer-ci.yaml

+10-2
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,14 @@ permissions: read-all
2626

2727
jobs:
2828
group-diff:
29-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
29+
runs-on: ubuntu-latest
3030
outputs:
3131
groups: ${{ steps.group-list.outputs.FOLDERS }}
3232
steps:
33+
- name: Harden Runner
34+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
35+
with:
36+
egress-policy: audit
3337
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3438
with:
3539
fetch-depth: 0
@@ -59,7 +63,7 @@ jobs:
5963
DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)')
6064
echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT
6165
62-
setup-build:
66+
build:
6367
needs: [group-diff]
6468
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
6569
if: needs.group-diff.outputs.groups != '[""]'
@@ -69,6 +73,10 @@ jobs:
6973
experimental: [true]
7074
fail-fast: false
7175
steps:
76+
- name: Harden Runner
77+
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
78+
with:
79+
egress-policy: audit
7280
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
7381
- uses: eWaterCycle/setup-apptainer@4bb22c52d4f63406c49e94c804632975787312b3 # v2.0.0
7482
with:

.github/workflows/container-ci.yaml

+3-3
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ jobs:
6363
setup-build:
6464
outputs:
6565
matrix: ${{ steps.build-matrix.outputs.matrix }}
66-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
66+
runs-on: ubuntu-latest
6767
steps:
6868
- name: Harden Runner
6969
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -112,7 +112,7 @@ jobs:
112112
setup-scan:
113113
needs: [build-containers]
114114
if: ${{ github.event_name == 'pull_request' }}
115-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
115+
runs-on: ubuntu-latest
116116
outputs:
117117
matrix: ${{ steps.scan-matrix.outputs.matrix }}
118118
steps:
@@ -165,7 +165,7 @@ jobs:
165165
####################################################################################################
166166
setup-test:
167167
needs: [build-containers]
168-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
168+
runs-on: ubuntu-latest
169169
outputs:
170170
matrix: ${{ steps.test-matrix.outputs.matrix }}
171171
steps:

.github/workflows/dependency-review.yaml

+6-1
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,12 @@ jobs:
3636
- name: Harden Runner
3737
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
3838
with:
39-
egress-policy: audit
39+
egress-policy: block
40+
allowed-endpoints: >
41+
api.deps.dev:443
42+
api.github.com:443
43+
api.securityscorecards.dev:443
44+
github.com:443
4045
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
4146
- uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
4247
with:

.github/workflows/dockerhub-description.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ on:
1919
permissions: read-all
2020
jobs:
2121
setup-matrix:
22-
runs-on: intel-ubuntu-latest
22+
runs-on: ubuntu-latest
2323
outputs:
2424
matrix: ${{ steps.set-matrix.outputs.matrix }}
2525
steps:

.github/workflows/docs.yaml

+7-2
Original file line numberDiff line numberDiff line change
@@ -28,13 +28,18 @@ jobs:
2828
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
2929
permissions:
3030
contents: read
31-
id-token: write
31+
# id-token: write
3232
pages: write
3333
steps:
3434
- name: Harden Runner
3535
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
3636
with:
37-
egress-policy: audit
37+
egress-policy: block
38+
allowed-endpoints: >
39+
api.github.com:443
40+
files.pythonhosted.org:443
41+
github.com:443
42+
pypi.org:443
3843
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3944
- uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
4045
with:

.github/workflows/integration-test.yaml

+5-7
Original file line numberDiff line numberDiff line change
@@ -21,14 +21,16 @@ concurrency:
2121
cancel-in-progress: true
2222
jobs:
2323
group-diff:
24-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
24+
runs-on: ubuntu-latest
2525
outputs:
2626
groups: ${{ steps.group-list.outputs.FOLDERS }}
2727
steps:
2828
- name: Harden Runner
2929
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
3030
with:
31-
egress-policy: audit
31+
egress-policy: block
32+
allowed-endpoints: >
33+
github.com:443
3234
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3335
with:
3436
fetch-depth: 0
@@ -114,13 +116,9 @@ jobs:
114116
recreate: true
115117
status-check:
116118
needs: [group-diff, pipeline-ci, merge-logs]
117-
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
119+
runs-on: ubuntu-latest
118120
if: always()
119121
steps:
120-
- name: Harden Runner
121-
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
122-
with:
123-
egress-policy: audit
124122
- run: exit 1
125123
if: >-
126124
${{

.github/workflows/lint.yaml

+5-3
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,15 @@ jobs:
2727
runs-on: ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
2828
permissions:
2929
contents: read
30-
actions: read
31-
statuses: write
30+
# statuses: write
3231
steps:
3332
- name: Harden Runner
3433
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
3534
with:
36-
egress-policy: audit
35+
egress-policy: block
36+
allowed-endpoints: >
37+
api.github.com:443
38+
github.com:443
3739
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3840
with:
3941
fetch-depth: 0

.github/workflows/scorecard.yaml

+16-1
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,22 @@ jobs:
3838
- name: Harden Runner
3939
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
4040
with:
41-
egress-policy: audit
41+
disable-sudo: true
42+
egress-policy: block
43+
allowed-endpoints: >
44+
api.deps.dev:443
45+
api.github.com:443
46+
api.osv.dev:443
47+
api.scorecard.dev:443
48+
api.securityscorecards.dev:443
49+
auth.docker.io:443
50+
fulcio.sigstore.dev:443
51+
github.com:443
52+
index.docker.io:443
53+
oss-fuzz-build-logs.storage.googleapis.com:443
54+
rekor.sigstore.dev:443
55+
tuf-repo-cdn.sigstore.dev:443
56+
www.bestpractices.dev:443
4257
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
4358
with:
4459
persist-credentials: false

.github/workflows/security-report.yaml

-4
Original file line numberDiff line numberDiff line change
@@ -26,10 +26,6 @@ jobs:
2626
report:
2727
runs-on: ubuntu-latest
2828
steps:
29-
- name: Harden Runner
30-
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
31-
with:
32-
egress-policy: audit
3329
- uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
3430
with:
3531
sarifReportDir: ${{ github.workspace }}

.github/workflows/test-runner-ci.yaml

+8-1
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,14 @@ jobs:
6868
- name: Harden Runner
6969
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
7070
with:
71-
egress-policy: audit
71+
egress-policy: block
72+
allowed-endpoints: >
73+
api.github.com:443
74+
coveralls.io:443
75+
files.pythonhosted.org:443
76+
github.com:443
77+
objects.githubusercontent.com:443
78+
pypi.org:443
7279
- uses: coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
7380
with:
7481
parallel-finished: true

.github/workflows/weekly-test.yaml

+4-2
Original file line numberDiff line numberDiff line change
@@ -20,14 +20,16 @@ on:
2020
permissions: read-all
2121
jobs:
2222
get-groups:
23-
runs-on: intel-ubuntu-latest
23+
runs-on: ubuntu-latest
2424
outputs:
2525
groups: ${{ steps.group-list.outputs.FOLDERS }}
2626
steps:
2727
- name: Harden Runner
2828
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
2929
with:
30-
egress-policy: audit
30+
egress-policy: block
31+
allowed-endpoints: >
32+
github.com:443
3133
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
3234
- name: Output Group Directories
3335
id: group-list

0 commit comments

Comments
 (0)