feat(security): block mode for hardened runners (#10482)

2026-04-15 00:57:55 +00:00 · 2026-03-27 12:08:59 +00:00
parent f75ce7b4dd
commit 417be55604
25 changed files with 315 additions and 81 deletions
--- a/.github/workflows/sdk-codeql.yml
+++ b/.github/workflows/sdk-codeql.yml
@@ -48,10 +48,14 @@ jobs:
          - 'python'

    steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            uploads.github.com:443

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2