Follow up for pr#407 (#414)

* Disable sudo and configure egress rules for aws-auth * Disable sudo and configure egress rules for release drafter * Disable sudo and configure egress rules for dependabot auto-approve * Disable sudo and configure egress rules for codeql * Disable sudo and configure egress rules for update-release * Add yaml-language-server schema annotation for dependabot config * Configure commit prefixes for dependabot * Exclude step-security-bot from release notes appreciation * Exclude "Chore" PRs from enhancement label
usdigitalresponse · Oct 17, 2023 · 8e9473f · 8e9473f
1 parent d4588a8
commit 8e9473f
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 10 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,3 +1,5 @@
+# yaml-language-server: $schema=https://json.schemastore.org/dependabot-2.0.json
+
 # Please see the documentation for all configuration options:
 # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
 
@@ -7,11 +9,17 @@ updates:
     directory: /
     schedule:
       interval: daily
+    commit-message:
+      prefix: 'Chore [deps:gomod]'
   - package-ecosystem: terraform
     directory: /terraform
     schedule:
       interval: daily
+    commit-message:
+      prefix: 'Chore [deps:terraform]'
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: daily
+    commit-message:
+      prefix: 'Chore [deps:github-actions]'
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -32,6 +32,7 @@ exclude-labels:
 exclude-contributors:
   - dependabot
   - 'dependabot[bot]'
+  - step-security-bot
 autolabeler:
   - label: go
     files:
@@ -68,8 +69,8 @@ autolabeler:
       - '/^feat(ures?)?\/.+$/i'
       - '/^enhance(s|ments?)?\/.+$/i'
     title:
-      - '/\bfeat(ure)?\b/i'
-      - '/\benhance(s|ment)?\b/i'
+      - '/\b(?<!^chores?\b.*)feat(ures?)?\b/i'
+      - '/\b(?<!^chores?\b.*)enhance(s|ment)?\b/i'
   - label: github
     files:
       - '.github/**'

diff --git a/.github/workflows/aws-auth.yml b/.github/workflows/aws-auth.yml
@@ -38,7 +38,9 @@ jobs:
       - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            sts.us-west-2.amazonaws.com:443
       - id: auth
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:

diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -43,7 +43,14 @@ jobs:
       - uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           show-progress: 'false'

diff --git a/.github/workflows/dependabot-auto-approve.yml b/.github/workflows/dependabot-auto-approve.yml
@@ -16,8 +16,10 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
-          egress-policy: audit
-
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
       - name: Dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -121,8 +121,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
-          egress-policy: audit
-
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Get release notes
         id: get

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -20,8 +20,11 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
-          egress-policy: audit
-
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: "Determine next version"
         id: next_version