From db0074d5dcc905438f6acc642f54f83b9fef03e2 Mon Sep 17 00:00:00 2001 From: Mark Ridgwell Date: Sun, 7 Apr 2024 17:50:48 +0000 Subject: [PATCH] [Actions] Updated .github/workflows/approve-dependabot.yml --- .github/workflows/approve-dependabot.yml | 76 ++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 4 deletions(-) diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml index e53a99db..522bd573 100644 --- a/.github/workflows/approve-dependabot.yml +++ b/.github/workflows/approve-dependabot.yml @@ -28,6 +28,11 @@ jobs: # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly. steps: + + - name: "Initialise Workspace" + shell: bash + run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + - name: "Harden Security" uses: step-security/harden-runner@v2.7.0 with: @@ -45,16 +50,14 @@ jobs: tuf-repo-cdn.sigstore.dev:443 www.bestpractices.dev:443 - #egress-policy: audit + #egress-policy: audit - - name: "Initialise Workspace" - shell: bash - run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Check Repo Owner" uses: actions/github-script@v7.0.1 with: script: | core.info('Owner: ${{github.repository_owner}}'); + - name: "Auto Merge" uses: alexwilson/enable-github-automerge-action@2.0.0 with: @@ -77,11 +80,32 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + #egress-policy: audit + - name: "Check Repo Owner" uses: actions/github-script@v7.0.1 with: script: | core.info('Owner: ${{github.repository_owner}}'); + - name: "Auto Merge" uses: alexwilson/enable-github-automerge-action@2.0.0 with: @@ -102,11 +126,33 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + #egress-policy: audit + + - name: "Check Repo Owner" uses: actions/github-script@v7.0.1 with: script: | core.info('Owner: ${{github.repository_owner}}'); + - name: "Approve" uses: hmarr/auto-approve-action@v4 with: @@ -126,11 +172,33 @@ jobs: - name: "Initialise Workspace" shell: bash run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" + + - name: "Harden Security" + uses: step-security/harden-runner@v2.7.0 + with: + egress-policy: audit + disable-sudo: true + allowed-endpoints: > + api.github.com:443 + api.osv.dev:443 + api.securityscorecards.dev:443 + codeload.github.com:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + #egress-policy: audit + + - name: "Check Repo Owner" uses: actions/github-script@v7.0.1 with: script: | core.info('Owner: ${{github.repository_owner}}'); + - name: "Approve" uses: hmarr/auto-approve-action@v4 with: