Skip to content

ci: switch Harden-Runner from audit to block mode in all workflows#2340

Open
itsfarhan wants to merge 7 commits into
k8gb-io:masterfrom
itsfarhan:fix/egress-policy-block
Open

ci: switch Harden-Runner from audit to block mode in all workflows#2340
itsfarhan wants to merge 7 commits into
k8gb-io:masterfrom
itsfarhan:fix/egress-policy-block

Conversation

@itsfarhan

@itsfarhan itsfarhan commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

Switch all GitHub Actions workflows from egress-policy: audit to egress-policy: block with explicit allowlists.

Updated 16 workflows to use egress-policy: block:

  • build.yml
  • chainsaw.yaml
  • changelog_pr.yaml
  • codeql-analysis.yml
  • curldemo.yaml
  • cut_release.yaml
  • fossa.yml
  • gh-pages.yaml
  • helm_check-values-schema.yaml
  • helm_docs.yaml
  • helm_publish.yaml
  • helm_sign_oci.yaml
  • olm_pr.yaml
  • release.yaml
  • terratest.yaml
  • upgrade-testing.yaml

each workflow now has explicit allowed endpoints list for required outbound connections.

Test:

  • Verify workflows run successfully with block policy
  • Monitor for any blocked connections that should be allowed

Fixes: #2302
Issue Ref: #2294

HOW TO RUN CI ---

By default, all the checks will be run automatically. Furthermore, when changing website-related stuff, the preview will be generated by the netlify bot.

Heavy tests

Add the heavy-tests label on this PR if you want full-blown tests that include more than 2-cluster scenarios.

Debug tests

If the test suite is failing for you, you may want to try triggering Re-run all jobs (top right) with debug logging enabled. It will also make the print debug action more verbose.

Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
@netlify

netlify Bot commented Apr 26, 2026

Copy link
Copy Markdown

Deploy Preview for k8gb-preview ready!

Name Link
🔨 Latest commit 253787c
🔍 Latest deploy log https://app.netlify.com/projects/k8gb-preview/deploys/69f39a20e3c8830008d9fa7c
😎 Deploy Preview https://deploy-preview-2340--k8gb-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@ytsarev ytsarev left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inline review comments for the block-mode endpoint allowlists. The common reference behind these suggestions is the Harden Runner block-mode documentation, which explains that outbound traffic is restricted to allowed-endpoints and shows endpoint entries in host:port form, for example api.github.com:443: https://docs.stepsecurity.io/harden-runner/workflow-runs#filter-outbound-network-traffic-to-allowed-endpoints

Comment thread .github/workflows/build.yml Outdated
Comment thread .github/workflows/codeql-analysis.yml Outdated
Comment thread .github/workflows/changelog_pr.yaml Outdated
Comment thread .github/workflows/helm_publish.yaml Outdated
Comment thread .github/workflows/helm_sign_oci.yaml Outdated
Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/olm_pr.yaml Outdated
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
@itsfarhan itsfarhan requested a review from ytsarev April 30, 2026 12:39
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
@itsfarhan itsfarhan marked this pull request as draft April 30, 2026 13:40
@itsfarhan itsfarhan marked this pull request as ready for review April 30, 2026 13:40
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
Signed-off-by: itsfarhan <itsmefarhan09@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Switch Harden-Runner from egress-policy: audit to block in CI workflow

2 participants