Update GHA allowlists

[veikkoeeva]

dotnet/core#9671

[richlander]

Hi. Can you tell me what this change will do? It would be great to see the change to see if it applies to more use cases.

It sounds like you are going to change which domains a GH Action can access? Or am I reading too much into the issue title?

[richlander]

Ah, is this it?

• https://github.com/step-security/harden-runner?tab=readme-ov-file#filter-outbound-network-traffic-to-allowed-endpoints

• Verifiable/.github/workflows/main.yml

  Lines 61 to 76 in a364796

  	- name: Harden Runner
  	if: ${{ matrix.os == 'ubuntu-latest' }}
  	uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
  	with:
  	disable-sudo: true
  	egress-policy: block
  	allowed-endpoints: >
  	dotnetbuilds.azureedge.net:443
  	aka.ms:443
  	api.github.com:443
  	api.nuget.org:443
  	pkgs.dev.azure.com:443
  	dashboard.stryker-mutator.io:443
  	dotnetcli.azureedge.net:443
  	github.com:443
  	nuget.pkg.github.com:443

[veikkoeeva]

Ah, is this it?

* https://github.com/step-security/harden-runner?tab=readme-ov-file#filter-outbound-network-traffic-to-allowed-endpoints

* https://github.com/Lumoin/Verifiable/blob/a3647961b4b3f964c33093147a1c9427c1bec801/.github/workflows/main.yml#L61-L76

Yes this is it. :)

Now that I remember, probably I should also check https://github.com/Lumoin/Verifiable/blob/main/NuGet.config too.

I will late introduce more security measures for commits and releases, but likely they are not affected by this.

[richlander]

Got it. Thanks for the clarification.

We are changing Actions now so next time you update, you'll want to update your allow list.