diff --git a/.github/workflows/browser-beta.yml b/.github/workflows/browser-beta.yml index 64e38d7eb..1ef14f725 100644 --- a/.github/workflows/browser-beta.yml +++ b/.github/workflows/browser-beta.yml @@ -10,6 +10,10 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/browser-dev.yml b/.github/workflows/browser-dev.yml index 35aeb9c9f..edd38e560 100644 --- a/.github/workflows/browser-dev.yml +++ b/.github/workflows/browser-dev.yml @@ -10,6 +10,10 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/building-docker.yml b/.github/workflows/building-docker.yml index d5e5af284..8b9cfea24 100644 --- a/.github/workflows/building-docker.yml +++ b/.github/workflows/building-docker.yml @@ -7,6 +7,11 @@ jobs: docker: runs-on: ubuntu-22.04 steps: + - + name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 601d04035..303de8844 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,6 +10,10 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build the container run: | diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fb5e2b4b1..37e064548 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -13,6 +13,10 @@ jobs: matrix: node-version: [24.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/linux-chrome.yml b/.github/workflows/linux-chrome.yml index 297add7aa..c64e49f84 100644 --- a/.github/workflows/linux-chrome.yml +++ b/.github/workflows/linux-chrome.yml @@ -10,6 +10,35 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: block + allowed-endpoints: > + accounts.google.com:443 + android.clients.google.com:443 + api.snapcraft.io:443 + azure.archive.ubuntu.com:80 + canonical-bos01.cdn.snapcraftcontent.com:443 + canonical-lgw01.cdn.snapcraftcontent.com:443 + clients2.google.com:80 + dl-ssl.google.com:443 + dl.google.com:80 + esm.ubuntu.com:443 + files.pythonhosted.org:443 + github.com:443 + motd.ubuntu.com:443 + msedgedriver.microsoft.com:443 + mtalk.google.com:5228 + nodejs.org:443 + packages.microsoft.com:443 + pypi.org:443 + registry.npmjs.org:443 + release-assets.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + storage.googleapis.com:443 + www.google.com:443 + www.sitespeed.io:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/linux-firefox.yml b/.github/workflows/linux-firefox.yml index 1856e2b14..f9807fc13 100644 --- a/.github/workflows/linux-firefox.yml +++ b/.github/workflows/linux-firefox.yml @@ -10,6 +10,27 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: block + allowed-endpoints: > + api.snapcraft.io:443 + archive.mozilla.org:443 + canonical-bos01.cdn.snapcraftcontent.com:443 + canonical-lgw01.cdn.snapcraftcontent.com:443 + content-signature-2.cdn.mozilla.net:443 + files.pythonhosted.org:443 + firefox-settings-attachments.cdn.mozilla.net:443 + firefox.settings.services.mozilla.com:443 + ftp.mozilla.org:443 + github.com:443 + msedgedriver.microsoft.com:443 + pypi.org:443 + registry.npmjs.org:443 + release-assets.githubusercontent.com:443 + results-receiver.actions.githubusercontent.com:443 + storage.googleapis.com:443 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/mac-m1.yml b/.github/workflows/mac-m1.yml index 252421c94..045a05dab 100644 --- a/.github/workflows/mac-m1.yml +++ b/.github/workflows/mac-m1.yml @@ -11,6 +11,10 @@ jobs: runs-on: macos-latest timeout-minutes: 20 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml index 3d901f897..c144322ab 100644 --- a/.github/workflows/mac.yml +++ b/.github/workflows/mac.yml @@ -11,6 +11,10 @@ jobs: runs-on: macos-15-intel timeout-minutes: 30 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/safari.yml b/.github/workflows/safari.yml index c6eae9158..c1b2e7eeb 100644 --- a/.github/workflows/safari.yml +++ b/.github/workflows/safari.yml @@ -11,6 +11,10 @@ jobs: runs-on: macos-latest timeout-minutes: 20 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/unittests.yml b/.github/workflows/unittests.yml index dc1ec4021..e41f5eda9 100644 --- a/.github/workflows/unittests.yml +++ b/.github/workflows/unittests.yml @@ -15,6 +15,10 @@ jobs: browser: ['chrome', 'firefox'] node-version: [22.x, 24.x,] steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 0ceb7fbb2..1cf7b5b82 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -10,6 +10,10 @@ jobs: build: runs-on: windows-2025 steps: + - name: Harden Runner + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Use Node.js uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6