Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible security improvement in gem push task "Harden Runner" section #17

Open
keithrbennett opened this issue Nov 22, 2024 · 0 comments
Open

Possible security improvement in gem push task "Harden Runner" section #17

keithrbennett opened this issue Nov 22, 2024 · 0 comments

Comments

@keithrbennett
Copy link

I ran gem exec configure_trusted_publisher rubygem on my gem, and saw a suggestion on the task monitoring web site to slightly modify the "Harden Runner" section of the workflow specification for improved security...

From:

      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          egress-policy: audit

To:

      - name: Harden Runner
        uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            github.com:443
            index.rubygems.org:443
            objects.githubusercontent.com:443
            rubygems.org:443

Might this be a better configuration to generate? I would be happy to offer a pull request if that would be helpful.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@keithrbennett