feat(security): block mode for hardened runners #12

	name: GitHub Actions Security Analysis

	on:
	push:
	branches:
	- "main"
	paths:
	- ".github/workflows/**"
	pull_request:
	branches:
	- "main"
	paths:
	- ".github/workflows/**"

	permissions: {}

	jobs:
	zizmor-pr:
	name: Run zizmor (PR)
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	actions: read
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	ghcr.io:443
	github.com:443
	pkg-containers.githubusercontent.com:443

	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Run zizmor
	uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
	with:
	advanced-security: "false"
	annotations: "true"

	zizmor-push:
	name: Run zizmor (push)
	if: github.event_name == 'push'
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	contents: read
	actions: read
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
	with:
	egress-policy: block
	allowed-endpoints: >
	api.github.com:443
	ghcr.io:443
	github.com:443
	pkg-containers.githubusercontent.com:443

	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Run zizmor
	uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2

Provide feedback