Prepare universal workflow

2025-05-30 22:56:56 +02:00 · 2024-02-08 13:35:09 +09:00 · 2024-02-08 13:35:09 +09:00 · e6c8162ecb
commit e6c8162ecb
parent b3595fe39d
1 changed files with 23 additions and 4 deletions
--- a/.github/workflows/images_build.yml
+++ b/.github/workflows/images_build.yml
@ -33,6 +33,8 @@ jobs:
  init_build:
    name: Initialize build
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    outputs:
      os: ${{ steps.os.outputs.list }}
      database: ${{ steps.database.outputs.list }}
@ -40,8 +42,6 @@ jobs:
      is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }}
      current_branch: ${{ steps.branch_info.outputs.current_branch }}
      branch: ${{ steps.branch_info.outputs.branch }}
-    permissions:
-      contents: read
    steps:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@ -128,7 +128,23 @@ jobs:
      - name: Block egress traffic
        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
        with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            auth.docker.io:443
+            dl-cdn.alpinelinux.org:443
+            github.com:443
+            index.docker.io:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
+            yum.oracle.com:443
+            archive.ubuntu.com:80
+            ports.ubuntu.com:80
+            security.ubuntu.com:80
+            mirrors.centos.org:443
+            quay.io:443
+            mirror.rackspace.com:443

      - name: Checkout repository
        uses: actions/checkout@v4
@ -176,7 +192,6 @@ jobs:
          flavor: |
            latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }}

-
      - name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push
        id: docker_build
        uses: docker/build-push-action@v5
@ -223,6 +238,8 @@ jobs:

      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@ -326,6 +343,8 @@ jobs:

      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3