Change harden runner egress to audit (#457)

* Specify license for multiformats deps * Specify hraden-runner egress policy to audit * ci: change engress policy to audit for license workflow
wabarc · Feb 10, 2024 · 7fe2507 · 7fe2507
1 parent 5de16ff
commit 7fe2507
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 2 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -49,6 +49,7 @@ jobs:
     with:
       language: ${{ matrix.language }}
       config-file: './.github/codeql/codeql-config.yml'
+      egress-policy: audit
 
   nancy:
     name: Sonatype Nancy
@@ -85,3 +86,4 @@ jobs:
     with:
       scan-type: 'fs'
       sarif: 'filesystem.sarif'
+      egress-policy: audit
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -99,6 +99,7 @@ jobs:
       go-mips64: ${{ matrix.mips64 }}
       go-mipsle: ${{ matrix.mipsle }}
       artifact-path: ./build/binary/wayback*
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -122,6 +123,7 @@ jobs:
       go-arch: ${{ matrix.arch }}
       go-arm: ${{ matrix.arm }}
       artifact-path: build/package/wayback*.deb
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -132,6 +134,7 @@ jobs:
       product: wayback
       params: 'make rpm'
       artifact-path: build/package/wayback*.rpm
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -145,6 +148,7 @@ jobs:
         build/aur/.SRCINFO
         build/aur/PKGBUILD
         build/aur/wayback*.pkg.tar.zst
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -155,6 +159,7 @@ jobs:
       product: wayback
       channel: edge
       publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }}
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
       snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }}
@@ -167,5 +172,6 @@ jobs:
       version: edge
       params: 'make build'
       artifact-path: org.wabarc.wayback-*.x86_64.flatpak
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -54,7 +54,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
@@ -201,7 +201,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443

diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -26,3 +26,5 @@ jobs:
   license:
     name: License Checker
     uses: wabarc/.github/.github/workflows/reusable-license.yml@main
+    with:
+      egress-policy: audit
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -29,6 +29,8 @@ jobs:
   golangci:
     name: golangci-lint
     uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
+    with:
+      egress-policy: audit
 
   shellcheck:
     name: ShellCheck

diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -45,3 +45,14 @@ header:
     - 'mkdocs.yml'
 
   comment: on-failure
+
+dependency:
+  files:
+    - go.mod
+  licenses:
+    - name: github.com/multiformats/go-base36
+      version: v0.2.0
+      license: Apache-2.0 OR MIT
+    - name: github.com/multiformats/go-multicodec
+      version: v0.9.0
+      license: Apache-2.0 OR MIT