Commit 390e5be tylertitsworth
committed
1 parent 7fee6d5 commit 390e5be Copy full SHA for 390e5be
File tree 11 files changed +65
-27
lines changed
11 files changed +65
-27
lines changed Original file line number Diff line number Diff line change @@ -26,10 +26,14 @@ permissions: read-all
26
26
27
27
jobs :
28
28
group-diff :
29
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
29
+ runs-on : ubuntu-latest
30
30
outputs :
31
31
groups : ${{ steps.group-list.outputs.FOLDERS }}
32
32
steps :
33
+ - name : Harden Runner
34
+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
35
+ with :
36
+ egress-policy : audit
33
37
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
34
38
with :
35
39
fetch-depth : 0
59
63
DOCKER_COMPOSE_PATHS_JSON=$(printf '%s\n' "${DOCKER_COMPOSE_PATHS[@]}" | jq -R '.' | jq -sc 'unique_by(.)')
60
64
echo "FOLDERS=$DOCKER_COMPOSE_PATHS_JSON" >> $GITHUB_OUTPUT
61
65
62
- setup- build :
66
+ build :
63
67
needs : [group-diff]
64
68
runs-on : ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
65
69
if : needs.group-diff.outputs.groups != '[""]'
69
73
experimental : [true]
70
74
fail-fast : false
71
75
steps :
76
+ - name : Harden Runner
77
+ uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
78
+ with :
79
+ egress-policy : audit
72
80
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
73
81
- uses : eWaterCycle/setup-apptainer@4bb22c52d4f63406c49e94c804632975787312b3 # v2.0.0
74
82
with :
Original file line number Diff line number Diff line change 63
63
setup-build :
64
64
outputs :
65
65
matrix : ${{ steps.build-matrix.outputs.matrix }}
66
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
66
+ runs-on : ubuntu-latest
67
67
steps :
68
68
- name : Harden Runner
69
69
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -112,7 +112,7 @@ jobs:
112
112
setup-scan :
113
113
needs : [build-containers]
114
114
if : ${{ github.event_name == 'pull_request' }}
115
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
115
+ runs-on : ubuntu-latest
116
116
outputs :
117
117
matrix : ${{ steps.scan-matrix.outputs.matrix }}
118
118
steps :
@@ -165,7 +165,7 @@ jobs:
165
165
# ###################################################################################################
166
166
setup-test :
167
167
needs : [build-containers]
168
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
168
+ runs-on : ubuntu-latest
169
169
outputs :
170
170
matrix : ${{ steps.test-matrix.outputs.matrix }}
171
171
steps :
Original file line number Diff line number Diff line change 36
36
- name : Harden Runner
37
37
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
38
38
with :
39
- egress-policy : audit
39
+ egress-policy : block
40
+ allowed-endpoints : >
41
+ api.deps.dev:443
42
+ api.github.com:443
43
+ api.securityscorecards.dev:443
44
+ github.com:443
40
45
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
41
46
- uses : actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
42
47
with :
Original file line number Diff line number Diff line change 19
19
permissions : read-all
20
20
jobs :
21
21
setup-matrix :
22
- runs-on : intel- ubuntu-latest
22
+ runs-on : ubuntu-latest
23
23
outputs :
24
24
matrix : ${{ steps.set-matrix.outputs.matrix }}
25
25
steps :
Original file line number Diff line number Diff line change @@ -28,13 +28,18 @@ jobs:
28
28
runs-on : ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
29
29
permissions :
30
30
contents : read
31
- id-token : write
31
+ # id-token: write
32
32
pages : write
33
33
steps :
34
34
- name : Harden Runner
35
35
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
36
36
with :
37
- egress-policy : audit
37
+ egress-policy : block
38
+ allowed-endpoints : >
39
+ api.github.com:443
40
+ files.pythonhosted.org:443
41
+ github.com:443
42
+ pypi.org:443
38
43
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
39
44
- uses : actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
40
45
with :
Original file line number Diff line number Diff line change @@ -21,14 +21,16 @@ concurrency:
21
21
cancel-in-progress : true
22
22
jobs :
23
23
group-diff :
24
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
24
+ runs-on : ubuntu-latest
25
25
outputs :
26
26
groups : ${{ steps.group-list.outputs.FOLDERS }}
27
27
steps :
28
28
- name : Harden Runner
29
29
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
30
30
with :
31
- egress-policy : audit
31
+ egress-policy : block
32
+ allowed-endpoints : >
33
+ github.com:443
32
34
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
33
35
with :
34
36
fetch-depth : 0
@@ -114,13 +116,9 @@ jobs:
114
116
recreate : true
115
117
status-check :
116
118
needs : [group-diff, pipeline-ci, merge-logs]
117
- runs-on : ${{ github.repository_owner == 'intel' && 'intel- ubuntu-latest' || 'ubuntu-latest' }}
119
+ runs-on : ubuntu-latest
118
120
if : always()
119
121
steps :
120
- - name : Harden Runner
121
- uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
122
- with :
123
- egress-policy : audit
124
122
- run : exit 1
125
123
if : >-
126
124
${{
Original file line number Diff line number Diff line change @@ -27,13 +27,15 @@ jobs:
27
27
runs-on : ${{ github.repository_owner == 'intel' && 'intel-ubuntu-latest' || 'ubuntu-latest' }}
28
28
permissions :
29
29
contents : read
30
- actions : read
31
- statuses : write
30
+ # statuses: write
32
31
steps :
33
32
- name : Harden Runner
34
33
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
35
34
with :
36
- egress-policy : audit
35
+ egress-policy : block
36
+ allowed-endpoints : >
37
+ api.github.com:443
38
+ github.com:443
37
39
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
38
40
with :
39
41
fetch-depth : 0
Original file line number Diff line number Diff line change 38
38
- name : Harden Runner
39
39
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
40
40
with :
41
- egress-policy : audit
41
+ disable-sudo : true
42
+ egress-policy : block
43
+ allowed-endpoints : >
44
+ api.deps.dev:443
45
+ api.github.com:443
46
+ api.osv.dev:443
47
+ api.scorecard.dev:443
48
+ api.securityscorecards.dev:443
49
+ auth.docker.io:443
50
+ fulcio.sigstore.dev:443
51
+ github.com:443
52
+ index.docker.io:443
53
+ oss-fuzz-build-logs.storage.googleapis.com:443
54
+ rekor.sigstore.dev:443
55
+ tuf-repo-cdn.sigstore.dev:443
56
+ www.bestpractices.dev:443
42
57
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
43
58
with :
44
59
persist-credentials : false
Original file line number Diff line number Diff line change 26
26
report :
27
27
runs-on : ubuntu-latest
28
28
steps :
29
- - name : Harden Runner
30
- uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
31
- with :
32
- egress-policy : audit
33
29
- uses : rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
34
30
with :
35
31
sarifReportDir : ${{ github.workspace }}
Original file line number Diff line number Diff line change 68
68
- name : Harden Runner
69
69
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
70
70
with :
71
- egress-policy : audit
71
+ egress-policy : block
72
+ allowed-endpoints : >
73
+ api.github.com:443
74
+ coveralls.io:443
75
+ files.pythonhosted.org:443
76
+ github.com:443
77
+ objects.githubusercontent.com:443
78
+ pypi.org:443
72
79
- uses : coverallsapp/github-action@643bc377ffa44ace6394b2b5d0d3950076de9f63 # v2.3.0
73
80
with :
74
81
parallel-finished : true
Original file line number Diff line number Diff line change 20
20
permissions : read-all
21
21
jobs :
22
22
get-groups :
23
- runs-on : intel- ubuntu-latest
23
+ runs-on : ubuntu-latest
24
24
outputs :
25
25
groups : ${{ steps.group-list.outputs.FOLDERS }}
26
26
steps :
27
27
- name : Harden Runner
28
28
uses : step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
29
29
with :
30
- egress-policy : audit
30
+ egress-policy : block
31
+ allowed-endpoints : >
32
+ github.com:443
31
33
- uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
32
34
- name : Output Group Directories
33
35
id : group-list
You can’t perform that action at this time.
0 commit comments