actions: update deploy egress policy + refactor error-throwing route (#598)

Signed-off-by: flakey5 <[email protected]>

Author: flakey5

.github/workflows/deploy.yml

@@ -15,14 +15,15 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
-          egress-policy: audit
-          # allowed-endpoints: >
-          #   sparrow.cloudflare.com:443
-          #   api.cloudflare.com:443
-          #   api.github.com:443
-          #   github.com:443
-          #   hooks.slack.com:443
-          #   registry.npmjs.org:443
+          egress-policy: block
+          allowed-endpoints: >
+            sparrow.cloudflare.com:443
+            api.cloudflare.com:443
+            api.github.com:443
+            github.com:443
+            hooks.slack.com:443
+            registry.npmjs.org:443
+            sentry.io:443
 
       - name: Git Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

src/middleware/throwMiddleware.ts

@@ -0,0 +1,10 @@
+import type { Middleware } from './middleware';
+
+/**
+ * Middleware that exists just to throw an error
+ */
+export class ThrowMiddleware implements Middleware {
+  handle(): Promise<Response> {
+    throw new Error('Throw endpoint hit');
+  }
+}

src/routes/index.ts

@@ -7,6 +7,7 @@ import { OriginMiddleware } from '../middleware/originMiddleware';
 import { R2Middleware } from '../middleware/r2Middleware';
 import { RedirectionMiddleware } from '../middleware/redirectionMiddleware';
 import { SubtitutionMiddleware } from '../middleware/subtituteMiddleware';
+import { ThrowMiddleware } from '../middleware/throwMiddleware';
 import type { Router } from './router';
 
 export function registerRoutes(router: Router): void {
@@ -63,6 +64,8 @@ export function registerRoutes(router: Router): void {
     originMiddleware,
   ]);
 
+  router.post('/_throw', [new ThrowMiddleware()]);
+
   router.get('*', [new NotFoundMiddleware()]);
 
   router.all('*', [new MethodNotAllowedMiddleware()]);

src/routes/router.ts

@@ -56,6 +56,14 @@ export class Router {
       return callMiddlewareChain(middlewareChain, req, ctx, unsubstitutedUrl);
     });
   }
+
+  post(endpoint: string, middlewares: Middleware[]): void {
+    const middlewareChain = buildMiddlewareChain(middlewares);
+
+    this.itty.post(endpoint, (req, ctx, unsubstitutedUrl) => {
+      return callMiddlewareChain(middlewareChain, req, ctx, unsubstitutedUrl);
+    });
+  }
 }
 
 type MiddlewareChain = (

src/worker.ts

@@ -45,13 +45,6 @@ export default {
         execution: ctx,
       };
 
-      if (
-        env.ENVIRONMENT === 'staging' &&
-        request.url === '/_657ee98d-f9d3-46cd-837b-f58a88add70a'
-      ) {
-        throw new Error('sentry source map testing');
-      }
-
       return await router.handle(request, context);
     } catch (e) {
       // Send to sentry, if it's disabled this will just noop