diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index e08d5ed..f537c9a 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -146,6 +146,13 @@ jobs: deploy: runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + attestations: write needs: - build if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml index e4fdeff..484b861 100644 --- a/.github/workflows/docker-scan.yml +++ b/.github/workflows/docker-scan.yml @@ -12,7 +12,7 @@ permissions: jobs: wait-for-build: - name: Wait for build + name: Wait for deploy runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) @@ -26,11 +26,11 @@ jobs: index.rubygems.org:443 rubygems.org:443 - - name: Wait for build + - name: Wait for deploy uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79 # v1.4.0 with: ref: ${{ github.ref }} - check-name: 'build' + check-name: 'deploy' repo-token: ${{ secrets.GITHUB_TOKEN }} wait-interval: 15 allowed-conclusions: success,skipped @@ -46,19 +46,7 @@ jobs: name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: - egress-policy: block - allowed-endpoints: > - api.github.com:443 - auth.docker.io:443 - files.pythonhosted.org:443 - github.com:443 - grype.anchore.io:443 - objects.githubusercontent.com:443 - production.cloudflare.docker.com:443 - pypi.org:443 - raw.githubusercontent.com:443 - registry-1.docker.io:443 - release-assets.githubusercontent.com:443 + egress-policy: audit - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1