From b5fb3b5c993b1ebb8524f9e72abbae9323d70682 Mon Sep 17 00:00:00 2001
From: Mark Ridgwell <credfeto@users.noreply.github.com>
Date: Sun, 7 Apr 2024 18:14:07 +0100
Subject: [PATCH] Hardened security?

---
 .github/workflows/approve-dependabot.yml | 70 ++++++++++++++++++++++--
 .github/workflows/merge-dependabot.yml   | 11 ++--
 .github/workflows/on-pr-closed.yml       |  4 ++
 3 files changed, 75 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml
index 0aa46f97..522bd573 100644
--- a/.github/workflows/approve-dependabot.yml
+++ b/.github/workflows/approve-dependabot.yml
@@ -28,6 +28,11 @@ jobs:
     # Specifically check that dependabot (or another trusted party) created this pull-request, and that it has been labelled correctly.
 
     steps:
+
+    - name: "Initialise Workspace"
+      shell: bash
+      run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
+
     - name: "Harden Security"
       uses: step-security/harden-runner@v2.7.0
       with:
@@ -45,11 +50,7 @@ jobs:
           tuf-repo-cdn.sigstore.dev:443
           www.bestpractices.dev:443
 
-      #egress-policy: audit
-
-    - name: "Initialise Workspace"
-      shell: bash
-      run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
+          #egress-policy: audit
 
     - name: "Check Repo Owner"
       uses: actions/github-script@v7.0.1
@@ -80,6 +81,25 @@ jobs:
         shell: bash
         run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
 
+      - name: "Harden Security"
+        uses: step-security/harden-runner@v2.7.0
+        with:
+          egress-policy: audit
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            codeload.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
+            #egress-policy: audit
+
       - name: "Check Repo Owner"
         uses: actions/github-script@v7.0.1
         with:
@@ -107,6 +127,26 @@ jobs:
       shell: bash
       run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
 
+    - name: "Harden Security"
+      uses: step-security/harden-runner@v2.7.0
+      with:
+        egress-policy: audit
+        disable-sudo: true
+        allowed-endpoints: >
+          api.github.com:443
+          api.osv.dev:443
+          api.securityscorecards.dev:443
+          codeload.github.com:443
+          fulcio.sigstore.dev:443
+          github.com:443
+          oss-fuzz-build-logs.storage.googleapis.com:443
+          rekor.sigstore.dev:443
+          tuf-repo-cdn.sigstore.dev:443
+          www.bestpractices.dev:443
+
+          #egress-policy: audit
+
+
     - name: "Check Repo Owner"
       uses: actions/github-script@v7.0.1
       with:
@@ -133,6 +173,26 @@ jobs:
         shell: bash
         run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
 
+      - name: "Harden Security"
+        uses: step-security/harden-runner@v2.7.0
+        with:
+          egress-policy: audit
+          disable-sudo: true
+          allowed-endpoints: >
+            api.github.com:443
+            api.osv.dev:443
+            api.securityscorecards.dev:443
+            codeload.github.com:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
+
+            #egress-policy: audit
+
+
       - name: "Check Repo Owner"
         uses: actions/github-script@v7.0.1
         with:
diff --git a/.github/workflows/merge-dependabot.yml b/.github/workflows/merge-dependabot.yml
index 9911a6d3..de85a14f 100644
--- a/.github/workflows/merge-dependabot.yml
+++ b/.github/workflows/merge-dependabot.yml
@@ -39,11 +39,6 @@ jobs:
       - name: "Initialise Workspace"
         shell: bash
         run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
-      - name: "Check Owner"
-        uses: actions/github-script@v7.0.1
-        with:
-          script: |
-            core.info('Owner: ${{github.repository_owner}}');
 
       - name: "Harden Security"
         uses: step-security/harden-runner@v2.7.0
@@ -62,6 +57,12 @@ jobs:
             tuf-repo-cdn.sigstore.dev:443
             www.bestpractices.dev:443
 
+      - name: "Check Owner"
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            core.info('Owner: ${{github.repository_owner}}');
+
       - name: "Auto-Merge"
         if: github.repository_owner == 'funfair-tech'
         uses: pascalgn/automerge-action@v0.16.2
diff --git a/.github/workflows/on-pr-closed.yml b/.github/workflows/on-pr-closed.yml
index 0beddbb5..0f04ff5b 100644
--- a/.github/workflows/on-pr-closed.yml
+++ b/.github/workflows/on-pr-closed.yml
@@ -9,6 +9,10 @@ jobs:
   cleanup-cache:
     runs-on: [self-hosted, linux]
     steps:
+      - name: "Initialise Workspace"
+        shell: bash
+        run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
+
       - name: "Harden Security"
         uses: step-security/harden-runner@v2.7.0
         with: