From f9708c968a4d4b52ccd5732d07f2cc47186e4e74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wilfredo=20S=C3=A1nchez=20Vega?= <wsanchez@wsanchez.net>
Date: Sat, 17 Feb 2024 13:05:11 -0800
Subject: [PATCH] Fix harden config

---
 .github/workflows/deploy.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 9f4d8d3ce..53a1083d2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,7 +17,15 @@ jobs:
       - name: Harden CI
         uses: step-security/harden-runner@v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            ecs.us-west-2.amazonaws.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            sts.us-west-2.amazonaws.com:443
 
       - name: Check user
         if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }}
@@ -72,7 +80,15 @@ jobs:
       - name: Harden CI
         uses: step-security/harden-runner@v2.7.0
         with:
+          disable-sudo: true
           egress-policy: block
+          allowed-endpoints: >
+            ecs.us-west-2.amazonaws.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            sts.us-west-2.amazonaws.com:443
 
       - name: Check user
         if: ${{ ! contains('["wsanchez", "mikeburg", "plapsley"]', github.actor) }}