Skip to content

Commit

Permalink
[Actions] Updated .github/workflows/approve-dependabot.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@credfeto
credfeto committed Apr 7, 2024
1 parent cff03a6 commit db0074d
Showing 1 changed file with 72 additions and 4 deletions.
76 changes: 72 additions & 4 deletions .github/workflows/approve-dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ jobs:
# Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.

steps:

- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
Expand All @@ -45,16 +50,14 @@ jobs:
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
#egress-policy: audit
#egress-policy: audit
- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Auto Merge"
uses: alexwilson/[email protected]
with:
Expand All @@ -77,11 +80,32 @@ jobs:
- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
#egress-policy: audit
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Auto Merge"
uses: alexwilson/[email protected]
with:
Expand All @@ -102,11 +126,33 @@ jobs:
- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
#egress-policy: audit
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Approve"
uses: hmarr/auto-approve-action@v4
with:
Expand All @@ -126,11 +172,33 @@ jobs:
- name: "Initialise Workspace"
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"

- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
#egress-policy: audit
- name: "Check Repo Owner"
uses: actions/[email protected]
with:
script: |
core.info('Owner: ${{github.repository_owner}}');
- name: "Approve"
uses: hmarr/auto-approve-action@v4
with:
Expand Down

0 comments on commit db0074d

Please sign in to comment.