feat(security): Enable block harden runner (#47)

jfagoagas · web-flow · commit 5303cc52ea47 · 2026-03-26T13:38:10.000+01:00
diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml
@@ -24,10 +24,10 @@ jobs:
       pull-requests: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
 
       - name: Check PR title format
         uses: agenthunt/conventional-commit-checker-action@f1823f632e95a64547566dcd2c7da920e67117ad # v2.0.1
diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml
@@ -14,6 +14,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  step-security-allowed-endpoints: >
+    ghcr.io:443
+    github.com:443
+    pkg-containers.githubusercontent.com:443
+
 jobs:
   scan-secrets:
     name: Scan for secrets
@@ -23,10 +29,11 @@ jobs:
       contents: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: ${{ env.step-security-allowed-endpoints }}
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml
@@ -12,6 +12,11 @@ on:
 
 permissions: {}
 
+env:
+  step-security-allowed-endpoints: >
+    api.github.com:443
+    github.com:443
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
@@ -27,10 +32,11 @@ jobs:
       issues: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: ${{ env.step-security-allowed-endpoints }}
 
       - name: Checkout PR head
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -14,6 +14,21 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  step-security-allowed-endpoints: >
+    api.github.com:443
+    auth.safetycli.com:443
+    cli.codecov.io:443
+    data.safetycli.com:443
+    files.pythonhosted.org:443
+    github.com:443
+    ingest.codecov.io:443
+    keybase.io:443
+    o26192.ingest.us.sentry.io:443
+    pypi.org:443
+    pyup.io:443
+    release-assets.githubusercontent.com:443
+
 jobs:
   build:
     name: Lint and test (Python ${{ matrix.python-version }})
@@ -25,10 +40,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: ${{ env.step-security-allowed-endpoints }}
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -14,6 +14,13 @@ on:
 
 permissions: {}
 
+env:
+  step-security-allowed-endpoints: >
+    api.github.com:443
+    ghcr.io:443
+    github.com:443
+    pkg-containers.githubusercontent.com:443
+
 jobs:
   zizmor-pr:
     name: Run zizmor (PR)
@@ -23,10 +30,11 @@ jobs:
       contents: read
       actions: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: ${{ env.step-security-allowed-endpoints }}
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -48,10 +56,11 @@ jobs:
       contents: read
       actions: read
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: ${{ env.step-security-allowed-endpoints }}
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
