meta: update scorecard egress-policy from audit to block#61738
meta: update scorecard egress-policy from audit to block#61738Ronitsabhaya75 wants to merge 1 commit intonodejs:mainfrom
Conversation
|
Review requested:
|
nodejs-github-bot
added
the
meta
|
/cc @mateonunez |
| uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1 | ||
| with: | ||
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
| egress-policy: block |
There was a problem hiding this comment.
Hey @Ronitsabhaya75, as we transition from audit to block mode, we must ensure the allowed-endpoints list is exhaustive to avoid breaking the CI pipeline
There was a problem hiding this comment.
@mateonunez Good point! Since we've run in audit mode since November 2025, harden-runner has auto-detected the required endpoints and will allow them in block mode. Let me know if you'd prefer an explicit allowed-endpoints list for clarity.
There was a problem hiding this comment.
I also think is better to have an explicit allowed-endpoints for clarity. What do you think, @aduh95?
There was a problem hiding this comment.
@mateonunez i think it would be better to have explicit conditions. So that we can use audit and in meantime if condition fails then we can block.
4 participants
Updates the OpenSSF Scorecard workflow to enforce stricter egress control by changing the
harden-runnerpolicy fromaudittoblock.