diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 8238a5be..9bbf6629 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -49,6 +49,7 @@ jobs: with: language: ${{ matrix.language }} config-file: './.github/codeql/codeql-config.yml' + egress-policy: audit nancy: name: Sonatype Nancy @@ -85,3 +86,4 @@ jobs: with: scan-type: 'fs' sarif: 'filesystem.sarif' + egress-policy: audit diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 40eed65f..0d0bd04a 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -99,6 +99,7 @@ jobs: go-mips64: ${{ matrix.mips64 }} go-mipsle: ${{ matrix.mipsle }} artifact-path: ./build/binary/wayback* + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -122,6 +123,7 @@ jobs: go-arch: ${{ matrix.arch }} go-arm: ${{ matrix.arm }} artifact-path: build/package/wayback*.deb + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -132,6 +134,7 @@ jobs: product: wayback params: 'make rpm' artifact-path: build/package/wayback*.rpm + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -145,6 +148,7 @@ jobs: build/aur/.SRCINFO build/aur/PKGBUILD build/aur/wayback*.pkg.tar.zst + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} @@ -155,6 +159,7 @@ jobs: product: wayback channel: edge publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }} + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }} @@ -167,5 +172,6 @@ jobs: version: edge params: 'make build' artifact-path: org.wabarc.wayback-*.x86_64.flatpak + egress-policy: audit secrets: wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 05a06f70..549ab2e5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -54,7 +54,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 with: - egress-policy: block + egress-policy: audit disable-telemetry: true allowed-endpoints: > ghcr.io:443 @@ -201,7 +201,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 with: - egress-policy: block + egress-policy: audit disable-telemetry: true allowed-endpoints: > ghcr.io:443 diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 484ca9b8..f26f3c2d 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -26,3 +26,5 @@ jobs: license: name: License Checker uses: wabarc/.github/.github/workflows/reusable-license.yml@main + with: + egress-policy: audit diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 63ac71c9..129af4e1 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -29,6 +29,8 @@ jobs: golangci: name: golangci-lint uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main + with: + egress-policy: audit shellcheck: name: ShellCheck diff --git a/.licenserc.yaml b/.licenserc.yaml index 8525e8f8..453834ce 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -45,3 +45,14 @@ header: - 'mkdocs.yml' comment: on-failure + +dependency: + files: + - go.mod + licenses: + - name: github.com/multiformats/go-base36 + version: v0.2.0 + license: Apache-2.0 OR MIT + - name: github.com/multiformats/go-multicodec + version: v0.9.0 + license: Apache-2.0 OR MIT