From ac85c674ca25631e6ef61e34ae06c441b070f9a3 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 11:15:02 -0500 Subject: [PATCH 1/4] update allowed sockets --- .github/workflows/add-to-project.yml | 6 +++++- .github/workflows/bump-version.yml | 7 ++++++- .github/workflows/codeql-analysis.yml | 10 +++++++++- .github/workflows/dependency-review.yml | 2 ++ .github/workflows/first_pull_request.yml | 5 ++++- .github/workflows/label_on_approval.yml | 6 +++++- .github/workflows/upstream.yml | 3 +++ 7 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 24f7c6b50..f0cfbc6f0 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -19,7 +19,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - uses: actions/add-to-project@v0.5.0 with: project-url: https://github.com/orgs/Ouranosinc/projects/6 diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 147ae1c30..1998610ae 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -36,7 +36,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - uses: actions/checkout@v4.1.1 with: persist-credentials: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e26f7942e..6b1097b66 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,7 +39,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + uploads.github.com:443 - name: Checkout repository uses: actions/checkout@v4.1.1 # Initializes the CodeQL tools for scanning. diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 19c43a455..368b283c9 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,7 +23,9 @@ jobs: allowed-endpoints: > api.github.com:443 github.com:443 + - name: 'Checkout Repository' uses: actions/checkout@v4.1.1 + - name: 'Dependency Review' uses: actions/dependency-review-action@v3.1.4 diff --git a/.github/workflows/first_pull_request.yml b/.github/workflows/first_pull_request.yml index f3f44a97a..73a474813 100644 --- a/.github/workflows/first_pull_request.yml +++ b/.github/workflows/first_pull_request.yml @@ -19,7 +19,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/label_on_approval.yml b/.github/workflows/label_on_approval.yml index d3eb0017e..89e5da8e6 100644 --- a/.github/workflows/label_on_approval.yml +++ b/.github/workflows/label_on_approval.yml @@ -28,7 +28,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + - name: Label Approved uses: actions/github-script@v7.0.1 with: diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index c9f68363f..2c6a39b10 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -46,11 +46,14 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 + conda.anaconda.org:443 + dap.service.does.not.exist:443 files.pythonhosted.org:443 github.com:443 objects.githubusercontent.com:443 pypi.org:443 raw.githubusercontent.com:443 + repo.anaconda.com:443 - uses: actions/checkout@v4.1.1 with: fetch-depth: 0 # Fetch all history for all branches and tags. From 393f0837dbec600c08c613f875b78ce44765a833 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 11:17:06 -0500 Subject: [PATCH 2/4] add exceptions for markdown templates --- .github/workflows/bump-version.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 1998610ae..298681104 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -6,6 +6,7 @@ on: - master paths-ignore: - .* + - .github/*/*.md - .github/*/*.yml - CHANGES.rst - Makefile From d18fd9533258c31e4f6f5fbaf4cd1fa3527018dd Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 11:31:11 -0500 Subject: [PATCH 3/4] update black socket exceptions --- .github/workflows/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3eed4fce3..406014fb5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -46,7 +46,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - uses: actions/checkout@v4.1.1 - name: Set up Python${{ matrix.python-version }} uses: actions/setup-python@v5.0.0 From cf37633005b4f58a56685608a1c93296e0430d83 Mon Sep 17 00:00:00 2001 From: Zeitsperre <10819524+Zeitsperre@users.noreply.github.com> Date: Mon, 15 Jan 2024 12:05:44 -0500 Subject: [PATCH 4/4] update CHANGES.rst --- CHANGES.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 604c4913e..461bb18b1 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -34,7 +34,7 @@ Internal changes ^^^^^^^^^^^^^^^^ * The `flake8` configuration has been migrated from `setup.cfg` to `.flake8`; `setup.cfg` has been removed. (:pull:`1569`) * The `bump-version.yml` workflow has been adjusted to bump the `patch` version when the last version is determined to have been a `release` version; otherwise, the `build` version is bumped. (:issue:`1557`, :pull:`1569`). -* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`). +* The GitHub Workflows now use the `step-security/harden-runner` action to monitor source code, actions, and dependency safety. All workflows now employ more constrained permissions rule sets to prevent security issues. (:pull:`1577`, :pull:`1578`, :pull:`1597`). * Updated the CONTRIBUTING.rst directions to showcase the new versioning system. (:issue:`1557`, :pull:`1573`). * The `codespell` library is now a development dependency for the `dev` installation recipe with configurations found within `pyproject.toml`. This is also now a linting step and integrated as a `pre-commit` hook. For more information, see the `codespell documentation `_ (:pull:`1576`).