Harden runner egress policy improvement (#482)

* Specify license for multiformats deps * Specify hraden-runner egress policy to audit * ci: change engress policy to audit for license workflow * Bump snap core18 to core20, relates to https://github.com/snapcore/snapcraft/releases/tag/8.0.0 * ci: enable actions permission for trivy job to make runner green * ci: change engress policy to audit for trivy jobs
wabarc · Feb 11, 2024 · f54c4fa · f54c4fa
1 parent 5de16ff
commit f54c4fa
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 12 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -49,6 +49,7 @@ jobs:
     with:
       language: ${{ matrix.language }}
       config-file: './.github/codeql/codeql-config.yml'
+      egress-policy: audit
 
   nancy:
     name: Sonatype Nancy
@@ -85,3 +86,4 @@ jobs:
     with:
       scan-type: 'fs'
       sarif: 'filesystem.sarif'
+      egress-policy: audit
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -99,6 +99,7 @@ jobs:
       go-mips64: ${{ matrix.mips64 }}
       go-mipsle: ${{ matrix.mipsle }}
       artifact-path: ./build/binary/wayback*
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -122,6 +123,7 @@ jobs:
       go-arch: ${{ matrix.arch }}
       go-arm: ${{ matrix.arm }}
       artifact-path: build/package/wayback*.deb
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -132,6 +134,7 @@ jobs:
       product: wayback
       params: 'make rpm'
       artifact-path: build/package/wayback*.rpm
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -145,6 +148,7 @@ jobs:
         build/aur/.SRCINFO
         build/aur/PKGBUILD
         build/aur/wayback*.pkg.tar.zst
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
 
@@ -153,8 +157,9 @@ jobs:
     uses: wabarc/.github/.github/workflows/reusable-builder-snap.yml@main
     with:
       product: wayback
-      channel: edge
+      channel: stable
       publish: ${{ github.repository == 'wabarc/wayback' && github.event_name == 'push' }}
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
       snapcraft-token: ${{ secrets.SNAPCRAFT_TOKEN }}
@@ -167,5 +172,6 @@ jobs:
       version: edge
       params: 'make build'
       artifact-path: org.wabarc.wayback-*.x86_64.flatpak
+      egress-policy: audit
     secrets:
       wayback-ipfs-apikey: ${{ secrets.WAYBACK_IPFS_APIKEY }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -54,13 +54,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             docker.io:443
             auth.docker.io:443
             index.docker.io:443
@@ -201,14 +201,14 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
         with:
-          egress-policy: block
+          egress-policy: audit
           disable-telemetry: true
           allowed-endpoints: >
             ghcr.io:443
             github.com:443
             api.github.com:443
             docker.io:443
-            pkg-containers.githubusercontent.com:443
+            *.githubusercontent.com
             auth.docker.io:443
             registry-1.docker.io:443
             production.cloudflare.docker.com:443
@@ -331,11 +331,12 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}'
       sarif: 'container-standalone.sarif'
+      egress-policy: 'audit'
 
   trivy-bundle:
     name: Trivy for bundle
@@ -344,8 +345,9 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     with:
       scan-type: 'image'
       image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}'
       sarif: 'container-bundle.sarif'
+      egress-policy: 'audit'
diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -26,3 +26,5 @@ jobs:
   license:
     name: License Checker
     uses: wabarc/.github/.github/workflows/reusable-license.yml@main
+    with:
+      egress-policy: audit
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -29,6 +29,8 @@ jobs:
   golangci:
     name: golangci-lint
     uses: wabarc/.github/.github/workflows/reusable-golangci.yml@main
+    with:
+      egress-policy: audit
 
   shellcheck:
     name: ShellCheck

diff --git a/.licenserc.yaml b/.licenserc.yaml
@@ -45,3 +45,14 @@ header:
     - 'mkdocs.yml'
 
   comment: on-failure
+
+dependency:
+  files:
+    - go.mod
+  licenses:
+    - name: github.com/multiformats/go-base36
+      version: v0.2.0
+      license: Apache-2.0 OR MIT
+    - name: github.com/multiformats/go-multicodec
+      version: v0.9.0
+      license: Apache-2.0 OR MIT
diff --git a/snapcraft.yaml b/snapcraft.yaml
@@ -12,23 +12,34 @@ description: |
   A toolkit for snapshot webpage to the Wayback Machine.
   Website https://github.com/wabarc/wayback
 
-base: core18
+base: core20
 grade: stable
 confinement: strict
 compression: lzo
+
 architectures:
-  #- build-on: [i386, amd64, arm64, armhf, ppc64el, s390x]
-  - build-on: amd64
+  - amd64
+  - arm64
+  - armhf
+  - i386
 
 parts:
   wayback:
     plugin: go
     source: https://github.com/wabarc/wayback.git
-    go-importpath: github.com/wabarc/wayback/cmd/wayback
+    override-build: |
+      make build
+      install $SNAPCRAFT_PART_BUILD/build/binary/wayback -D $SNAPCRAFT_PART_INSTALL/bin/wayback
+      mkdir -p $SNAPCRAFT_PART_INSTALL/bin
+      if [ ! -e $SNAPCRAFT_PART_INSTALL/bin/wayback ]; then
+        ln -s $SNAPCRAFT_PART_INSTALL/bin/wayback $SNAPCRAFT_PART_INSTALL/bin/wayback
+      fi
+    build-packages:
+      - build-essential
 
 apps:
   wayback:
-    command: wayback
+    command: bin/wayback
     plugs:
       - home
       - network