From 630493b13cbd38b78b3a1753b4583b63ff1632fa Mon Sep 17 00:00:00 2001
From: George Adams <georgeadams1995@gmail.com>
Date: Fri, 26 Apr 2024 15:15:33 +0100
Subject: [PATCH] Add hardened runner config for cacert publish workflow (#884)

---
 .github/workflows/cacert-publish.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/cacert-publish.yml b/.github/workflows/cacert-publish.yml
index c0182d02f..0de06888f 100644
--- a/.github/workflows/cacert-publish.yml
+++ b/.github/workflows/cacert-publish.yml
@@ -22,7 +22,20 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            adoptium.jfrog.io:443
+            api.github.com:443
+            auth.docker.io:443
+            deb.debian.org:80
+            github.com:443
+            objects.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            releases-cdn.jfrog.io:443
+            releases.jfrog.io:443
+            services.gradle.org:443
 
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4