diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 76c98b9..25cb32e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,10 +36,13 @@ jobs: uses: ./ id: test-all with: + egress-policy: audit checkout: true checkout-fetch-depth: 0 checkout-ref: main checkout-token: ${{ secrets.GITHUB_TOKEN }} + checkout-path: '.' + checkout-persist: true checkout-submodules: false setup-java: true java-distribution: 'temurin' @@ -83,6 +86,7 @@ jobs: echo "::group::Verify Node.js Outputs" echo "Node.js Version: ${{ steps.test-all.outputs.node-version }}" echo "Node.js Cache Hit: ${{ steps.test-all.outputs.node-cache-hit }}" + echo "Node.js Registry URL: ${{ steps.test-all.outputs.node-registry-url }}" node -v npm -v echo "::endgroup::" @@ -114,6 +118,25 @@ jobs: gomplate --version echo "::endgroup::" + test-egress-policy: + name: Test Egress Policy Input + runs-on: ubuntu-latest + steps: + - name: Harden Runner + id: harden-runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Run Action with Explicit Egress Policy + uses: ./ + id: test-egress-policy + with: + egress-policy: audit + test-checkout: name: Test Checkout Action runs-on: ubuntu-latest diff --git a/README.md b/README.md index 1ab9a1e..093c79c 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Common steps for initializing a job for GitHub actions. This composite action co ## Features -- Security hardening with Step Security's Harden Runner +- Security hardening with Step Security's Harden Runner (configurable egress policy) - Repository checkout with configurable options - Multi-language support (Node.js, Java, Python, Go, Rust, Swift) - Build tool setup (Gradle, Task, gomplate) @@ -25,15 +25,23 @@ Common steps for initializing a job for GitHub actions. This composite action co ### Inputs +**Harden Runner** + +| Input | Description | Required | Default | Options | +|---------------|----------------------------------------------|----------|---------|-------------------| +| egress-policy | Egress policy to apply to the runner | No | audit | `audit`/`block` | + **Repository Checkout** -| Input | Description | Required | Default | Options | -|----------------------|----------------------------------------------------------|----------|---------|----------------------------| -| checkout | Whether to checkout the repository | No | - | `true`/`false` | -| checkout-ref | The branch, tag or SHA to checkout | No | - | any `branch`/`tag`/`SHA` | -| checkout-token | Personal access token (PAT) used to fetch the repository | No | - | `Token` used for checkout | -| checkout-fetch-depth | Depth of commit history to fetch | No | 1 | `0` (full)/`1`/`2`/... | -| checkout-submodules | Whether to fetch submodules | No | false | `true`/`false`/`recursive` | +| Input | Description | Required | Default | Options | +|----------------------|------------------------------------------------------------------------------|----------|---------|----------------------------| +| checkout | Whether to checkout the repository | No | - | `true`/`false` | +| checkout-ref | The branch, tag or SHA to checkout | No | - | any `branch`/`tag`/`SHA` | +| checkout-token | Personal access token (PAT) used to fetch the repository | No | - | `Token` used for checkout | +| checkout-path | Path to checkout the repository into (relative to `${GITHUB_WORKSPACE}`) | No | `.` | any relative path | +| checkout-fetch-depth | Depth of commit history to fetch | No | 1 | `0` (full)/`1`/`2`/... | +| checkout-persist | Whether to configure the token with the local git config | No | true | `true`/`false` | +| checkout-submodules | Whether to fetch submodules | No | false | `true`/`false`/`recursive` | **Java** @@ -63,12 +71,13 @@ Common steps for initializing a job for GitHub actions. This composite action co **Node.js** -| Input | Description | Required | Default | -|-------------------|-------------------------------------------------|----------|---------| -| setup-node | Whether to setup Node.js | No | - | -| node-version | Node.js version to use | No | - | -| node-cache | Package manager for caching (npm, yarn, pnpm) | No | - | -| node-check-latest | Whether to check for the latest Node.js version | No | - | +| Input | Description | Required | Default | +|-------------------|----------------------------------------------------------------------|----------|-------------------------------| +| setup-node | Whether to setup Node.js | No | - | +| node-version | Node.js version to use | No | - | +| node-cache | Package manager for caching (npm, yarn, pnpm) | No | - | +| node-check-latest | Whether to check for the latest Node.js version | No | - | +| node-registry | Registry URL to use for Node.js package installation and publishing | No | `https://registry.npmjs.org/` | **Python** @@ -118,8 +127,8 @@ Common steps for initializing a job for GitHub actions. This composite action co **Gomplate** -| Input | Description | Required | Default | -|----------------|--------------------------|----------|---------| +| Input | Description | Required | Default | +|----------------|---------------------------|----------|---------| | setup-gomplate | Whether to setup gomplate | No | false | > [!NOTE] @@ -146,8 +155,10 @@ Common steps for initializing a job for GitHub actions. This composite action co - `gradle-version`: Version of Gradle that was setup **Node.js Outputs** + - `node-cache-hit`: Boolean indicating if cache was hit - `node-version`: The installed node version +- `node-registry-url`: The registry URL used for package installation and publishing **Python Outputs** @@ -221,5 +232,17 @@ Common steps for initializing a job for GitHub actions. This composite action co python-cache: 'pip' ``` +**Blocking Egress Traffic** + +By default the Harden Runner step runs in `audit` mode. Set `egress-policy` to `block` to deny any +network traffic that has not been explicitly allowed by the runner's policy. + +```yaml +- uses: PandasWhoCode/initialize-github-job@v1 + with: + egress-policy: 'block' + checkout: 'true' +``` + ## License This repository is licensed under the Apache 2.0 License. See the [LICENSE](LICENSE) file for details. diff --git a/action.yml b/action.yml index 8aea225..e0016ba 100644 --- a/action.yml +++ b/action.yml @@ -3,6 +3,10 @@ description: 'Common steps for initializing a job for GitHub actions' author: 'PandasWhoCode' inputs: + egress-policy: + description: 'Egress policy to apply to the runner (audit or block)' + required: false + default: 'audit' checkout: description: 'Whether to checkout the repository' required: false @@ -12,10 +16,18 @@ inputs: checkout-token: description: 'Personal access token (PAT) used to fetch the repository and set up task' required: false + checkout-path: + description: 'The path to checkout the repository into (relative to ${GITHUB_WORKSPACE})' + required: false + default: '.' checkout-fetch-depth: description: 'Depth of commit history to fetch' required: false default: '1' + checkout-persist: + description: 'Whether to configure the token with the local git config' + required: false + default: 'true' checkout-submodules: description: 'Whether to checkout submodules (true/false/recursive)' default: 'false' @@ -217,7 +229,7 @@ runs: id: harden-runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: ${{ inputs.egress-policy }} - name: Checkout Code Parameters id: checkout-params @@ -239,6 +251,8 @@ runs: submodules: ${{ inputs.checkout-submodules }} ref: ${{ inputs.checkout-ref }} token: ${{ inputs.checkout-token }} + path: ${{ inputs.checkout-path }} + persist-credentials: ${{ inputs.checkout-persist }} - name: Set Up Java Parameters id: setup-java-params