Skip to content

ci: update egress policies, apply zizmor recommendations #792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flakey5 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ci: update egress policies, apply zizmor recommendations #792

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ updates:
commit-message:
prefix: meta
cooldown:
default-days: 3
default-days: 7
open-pull-requests-limit: 10

- package-ecosystem: npm
Expand All @@ -30,7 +30,7 @@ updates:
commit-message:
prefix: meta
cooldown:
default-days: 3
default-days: 7
groups:
orama:
patterns:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443

- uses: nodejs/web-team/actions/auto-merge-prs@b087df186d25f8792fb85cc7794f68718726b8ee
with:
Expand Down
38 changes: 35 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand All @@ -49,10 +54,21 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
cli.codecov.io:443
github.com:443
ingest.codecov.io:443
keybase.io:443
o26192.ingest.us.sentry.io:443
raw.githubusercontent.com:443
registry.npmjs.org:443
storage.googleapis.com:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand Down Expand Up @@ -87,10 +103,25 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
*.archive.ubuntu.com:80
*.microsoft.com:443
api.github.com:443
cdn.playwright.dev:443
dl.google.com:443
esm.ubuntu.com:443
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
raw.githubusercontent.com:443
registry.npmjs.org:443
storage.googleapis.com:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
Expand All @@ -104,6 +135,7 @@ jobs:
- name: Checkout Node.js source
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
repository: nodejs/node
sparse-checkout: doc/api/assert.md
path: node
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,17 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
*.github.com:443
objects.githubusercontent.com:443
release-assets.githubusercontent.com:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/codespell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
with:
ignore_words_list: crate,raison
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
name: Review Dependencies

on:
pull_request_target:
pull_request:
Comment thread
flakey5 marked this conversation as resolved.
branches:
- main

Expand All @@ -23,10 +23,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443

- name: Git Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Review Dependencies
uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
4 changes: 3 additions & 1 deletion .github/workflows/leave-comment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443

- name: Download all comparison artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@ on:

permissions:
contents: read
# For npm OIDC (https://docs.npmjs.com/trusted-publishers)
id-token: write

env:
COMMIT_SHA: ${{ github.sha }}
Expand All @@ -28,7 +26,10 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443

- name: Verify commit authenticity
env:
Expand Down Expand Up @@ -58,6 +59,7 @@ jobs:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 2 # Need at least 2 commits to detect changes between commits

- name: Check if we should publish
Expand All @@ -75,6 +77,9 @@ jobs:
needs: prepare
runs-on: ubuntu-latest
if: needs.prepare.outputs.should_publish == 'true'
permissions:
# For npm OIDC (https://docs.npmjs.com/trusted-publishers)
id-token: write
Copy link
Copy Markdown

@cursor cursor Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Publish job loses contents: read from permission override

High Severity

The publish job defines job-level permissions with only id-token: write. In GitHub Actions, job-level permissions completely replace (not merge with) workflow-level permissions. This means the publish job loses the workflow-level contents: read permission. Without contents: read, the nodejs/web-team/actions/setup-environment action won't be able to check out the repository, and npm publish will have no package to publish. The contents: read permission needs to be included alongside id-token: write in the job-level permissions block.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7de39fe. Configure here.

steps:
- uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f
with:
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
api.scorecard.dev:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
fulcio.sigstore.dev:443

- name: Git Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/update-type-map.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,16 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
Comment thread
flakey5 marked this conversation as resolved.
objects.githubusercontent.com:443

- name: Git Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- run: node scripts/update-type-map.mjs

Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: main
pull_request:
branches: main

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
Loading