step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 12:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add workflows

Browse source
This commit is contained in:
Varun Sharma 2025-02-15 12:11:05 -08:00
commit 65d6f6e4ee
2 changed files with 204 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

28
.github/workflows/publish-immutable-actions.yml vendored Normal file
View file

@ -0,0 +1,28 @@
name: 'Publish Immutable Action Version'
on:
release:
types: [published]
permissions:
contents: read
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit
- name: Checking out
uses: actions/checkout@v4
- name: Publish
id: publish
uses: actions/publish-immutable-action@0.0.4

176
.github/workflows/runs-on.yml vendored Normal file
View file

@ -0,0 +1,176 @@
name: RunsOn Tests
on:
workflow_dispatch:
jobs:
test-host-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: audit
allowed-endpoints: >
github.com:443
goreleaser.com:443
- name: Checkout code
uses: actions/checkout@v3
- name: Run outbound calls from host
run: |
start_time=$(date +%s)
end_time=$((start_time + 90)) # 5 minutes = 300 seconds
while [ $(date +%s) -lt $end_time ]; do
curl -I https://www.google.com
curl -I https://goreleaser.com
sleep 10 # wait 10 seconds between calls
done
test-docker-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
*.docker.io:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Run outbound calls from within Docker container
continue-on-error: true
run: |
# Start the container
docker run --rm -d --name test-container ubuntu:latest sleep 90
# Install curl in the container
docker exec test-container apt-get update
docker exec test-container apt-get install -y curl
# Print /etc/resolv.conf from the container
docker exec test-container cat /etc/resolv.conf
# Make outbound calls
for i in {1..9}; do
docker exec test-container curl -I https://www.google.com
docker exec test-container curl -I https://goreleaser.com
sleep 10 # wait 10 seconds between calls
done
# Stop the container
docker stop test-container
test-docker-build-outbound:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: audit
allowed-endpoints: >
archive.ubuntu.com:80
auth.docker.io:443
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
registry-1.docker.io:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Build Docker image and test outbound calls during build
continue-on-error: true
run: |
# Create a Dockerfile that installs curl and makes outbound calls
cat <<EOF > Dockerfile
FROM ubuntu:latest
RUN apt-get update && apt-get install -y curl
RUN for i in {1..9}; do curl -I https://www.google.com && curl -I https://goreleaser.com; sleep 10; done
EOF
# Build the Docker image
docker build -t test-image .
# Print /etc/resolv.conf from the build container (temporary container used during build)
container_id=$(docker create test-image)
docker start $container_id
docker exec $container_id cat /etc/resolv.conf
docker stop $container_id
docker rm $container_id
- name: Print Docker logs with journalctl
run: |
sudo journalctl -u docker.service --no-pager
shell: bash
test-long-running-docker:
runs-on:
- runs-on=${{ github.run_id }}
- runner=2cpu-linux-x64
- image=ubuntu22-stepsecurity-x64
steps:
- name: Harden Runner
uses: step-security/harden-runner@rc
with:
egress-policy: block
allowed-endpoints: >
archive.ubuntu.com:80
auth.docker.io:443
github.com:443
goreleaser.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com:443
security.ubuntu.com:80
- name: Checkout code
uses: actions/checkout@v3
- name: Run long-running Docker container with outbound calls
continue-on-error: true
run: |
# Start the long-running container
docker run --rm -d --name long-running-container ubuntu:latest bash -c "
apt-get update && apt-get install -y curl &&
while true; do
curl -I https://www.google.com;
curl -I https://goreleaser.com;
sleep 10;
done
"
# Print /etc/resolv.conf from the container
docker exec long-running-container cat /etc/resolv.conf
# Let the container run for 5 minutes
sleep 90
# Stop the container
docker stop long-running-container