Skip to content

Commit

Permalink
ci: update Testing workflow with harden-runner recommendations (#4114)
Browse files Browse the repository at this point in the history 
This commit updates the Testing workflow (testing.yml) using
recommendations from Step Security's harden-runner action.
Recommendations were taken from the most recent Testing workflow run
(6232, see links below) where all jobs ran with only the 'Get Yesterday's
cached database if today's is not available' step not running on
relevant jobs.

As harden-runner only runs on Ubuntu VMs, a job-level permission
was added to the 'Windows long test' job to account for the removal of
the top-level workflow permission.

As the Build job has only recently been added, the `egress-policy` key
has been left with the value `audit`. The harden-runner recommendations
suggest changing the value to `block` after 10+ runs of the job.

Reference issue #4111

Testing workflow run 6232:
https://github.com/intel/cve-bin-tool/actions/runs/8976788790/job/24654326627

harden-runner recommendations:
https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/
8976788790?jobid=24654326273&tab=recommendations
  • Loading branch information
@michaelwknott
michaelwknott authored May 10, 2024
1 parent 85267fa commit 234f8ea
Showing 1 changed file with 105 additions and 5 deletions.
110 changes: 105 additions & 5 deletions .github/workflows/testing.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
name: Testing
permissions: read-all

on:
push:
Expand All @@ -24,6 +23,8 @@ env:
jobs:
docs:
name: Documentation
permissions:
contents: read
if: |
! github.event.pull_request.user.login == 'github-actions[bot]' ||
! (
Expand All @@ -38,7 +39,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
Expand All @@ -59,6 +65,8 @@ jobs:
tests:
name: Linux tests
permissions:
contents: read
runs-on: ubuntu-22.04
strategy:
matrix:
Expand All @@ -68,7 +76,34 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
access.redhat.com:443
archives.fedoraproject.org:443
azure.archive.ubuntu.com:80
curl.se:443
epss.cyentia.com:443
esm.ubuntu.com:443
files.pythonhosted.org:443
ftp.fr.debian.org:80
github.com:443
gitlab.com:443
mirror.cveb.in:443
mirror.cveb.in:80
motd.ubuntu.com:443
nvd.nist.gov:443
osv-vulnerabilities.storage.googleapis.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
pypi.org:443
raw.githubusercontent.com:443
release-monitoring.org:443
rpmfind.net:443
security-tracker.debian.org:443
services.nvd.nist.gov:443
storage.googleapis.com:443
www.cisa.gov:443
www.sqlite.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
Expand Down Expand Up @@ -149,6 +184,8 @@ jobs:
long_tests:
name: Long tests on Python 3.10
permissions:
contents: read
if: |
! github.event.pull_request.user.login == 'github-actions[bot]' ||
! (
Expand All @@ -166,7 +203,39 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
access.redhat.com:443
api.codecov.io:443
api.github.com:443
archives.fedoraproject.org:443
azure.archive.ubuntu.com:80
cli.codecov.io:443
codecov.io:443
curl.se:443
epss.cyentia.com:443
esm.ubuntu.com:443
files.pythonhosted.org:443
ftp.fr.debian.org:80
github.com:443
gitlab.com:443
mirror.cveb.in:443
mirror.cveb.in:80
motd.ubuntu.com:443
nvd.nist.gov:443
osv-vulnerabilities.storage.googleapis.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
pypi.org:443
raw.githubusercontent.com:443
release-monitoring.org:443
rpmfind.net:443
security-tracker.debian.org:443
services.nvd.nist.gov:443
storage.googleapis.com:443
uploader.codecov.io:443
www.cisa.gov:443
www.sqlite.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
Expand Down Expand Up @@ -277,6 +346,8 @@ jobs:

linux-mayfail:
name: Tests that may fail due to network or HTML
permissions:
contents: read
if: |
! github.event.pull_request.user.login == 'github-actions[bot]' ||
! (
Expand All @@ -294,7 +365,34 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
access.redhat.com:443
api.github.com:443
azure.archive.ubuntu.com:80
csrc.nist.gov:443
curl.se:443
epss.cyentia.com:443
esm.ubuntu.com:443
files.pythonhosted.org:443
github.com:443
gitlab.com:443
mirror.cveb.in:443
mirror.cveb.in:80
motd.ubuntu.com:443
nvd.nist.gov:443
osv-vulnerabilities.storage.googleapis.com:443
packages.microsoft.com:443
playwright.azureedge.net:443
ppa.launchpadcontent.net:443
pypi.org:443
release-monitoring.org:443
scap.nist.gov:443
security-tracker.debian.org:443
services.nvd.nist.gov:443
storage.googleapis.com:443
www.cisa.gov:443
www.sqlite.org:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
Expand Down Expand Up @@ -379,6 +477,8 @@ jobs:
windows_long_tests:
name: Windows long tests
permissions:
contents: read
if: |
! github.event.pull_request.user.login == 'github-actions[bot]' ||
! (
Expand Down

0 comments on commit 234f8ea

Please sign in to comment.