diff --git a/.github/workflows/images_build.yml b/.github/workflows/images_build.yml index 8f19600a4..894f26ed3 100644 --- a/.github/workflows/images_build.yml +++ b/.github/workflows/images_build.yml @@ -33,6 +33,8 @@ jobs: init_build: name: Initialize build runs-on: ubuntu-latest + permissions: + contents: read outputs: os: ${{ steps.os.outputs.list }} database: ${{ steps.database.outputs.list }} @@ -40,8 +42,6 @@ jobs: is_default_branch: ${{ steps.branch_info.outputs.is_default_branch }} current_branch: ${{ steps.branch_info.outputs.current_branch }} branch: ${{ steps.branch_info.outputs.branch }} - permissions: - contents: read steps: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -128,7 +128,23 @@ jobs: - name: Block egress traffic uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + auth.docker.io:443 + dl-cdn.alpinelinux.org:443 + github.com:443 + index.docker.io:443 + production.cloudflare.docker.com:443 + registry-1.docker.io:443 + yum.oracle.com:443 + archive.ubuntu.com:80 + ports.ubuntu.com:80 + security.ubuntu.com:80 + mirrors.centos.org:443 + quay.io:443 + mirror.rackspace.com:443 - name: Checkout repository uses: actions/checkout@v4 @@ -176,7 +192,6 @@ jobs: flavor: | latest=${{ (needs.init_build.outputs.current_branch != 'trunk') && (matrix.os == 'alpine') && ( needs.init_build.outputs.is_default_branch == 'true' ) }} - - name: Build ${{ env.BASE_BUILD_NAME }}/${{ matrix.os }} and push id: docker_build uses: docker/build-push-action@v5 @@ -223,6 +238,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + fetch-depth: 1 - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -326,6 +343,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + with: + fetch-depth: 1 - name: Set up QEMU uses: docker/setup-qemu-action@v3