-
Notifications
You must be signed in to change notification settings - Fork 457
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: update Testing workflow with harden-runner recommendations (#4114)
This commit updates the Testing workflow (testing.yml) using recommendations from Step Security's harden-runner action. Recommendations were taken from the most recent Testing workflow run (6232, see links below) where all jobs ran with only the 'Get Yesterday's cached database if today's is not available' step not running on relevant jobs. As harden-runner only runs on Ubuntu VMs, a job-level permission was added to the 'Windows long test' job to account for the removal of the top-level workflow permission. As the Build job has only recently been added, the `egress-policy` key has been left with the value `audit`. The harden-runner recommendations suggest changing the value to `block` after 10+ runs of the job. Reference issue #4111 Testing workflow run 6232: https://github.com/intel/cve-bin-tool/actions/runs/8976788790/job/24654326627 harden-runner recommendations: https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/ 8976788790?jobid=24654326273&tab=recommendations
- Loading branch information
1 parent
85267fa
commit 234f8ea
Showing
1 changed file
with
105 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters