From 099b5d6742745a26b449263c4df294edd91ade96 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 19 May 2026 14:25:55 -0500 Subject: [PATCH 1/2] feat: Update inputs for egress policy and additional checkout options Signed-off-by: Roger Barker --- .github/workflows/test.yml | 24 ++++++++++++++++ README.md | 56 +++++++++++++++++++++++++++----------- action.yml | 19 ++++++++++++- 3 files changed, 82 insertions(+), 17 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 76c98b9..21e66f8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -36,10 +36,13 @@ jobs: uses: ./ id: test-all with: + egress-policy: audit checkout: true checkout-fetch-depth: 0 checkout-ref: main checkout-token: ${{ secrets.GITHUB_TOKEN }} + checkout-path: '.' + checkout-persist: true checkout-submodules: false setup-java: true java-distribution: 'temurin' @@ -66,6 +69,7 @@ jobs: echo "::group::Verify Checkout Outputs" echo "Checkout Ref: ${{ steps.test-all.outputs.checkout-ref }}" echo "Checkout Commit: ${{ steps.test-all.outputs.checkout-commit }}" + echo "Checkout Path: ${{ steps.test-all.outputs.checkout-path }}" echo "::endgroup::" echo "::group::Verify Java Outputs" echo "Java Distribution: ${{ steps.test-all.outputs.java-distribution }}" @@ -83,6 +87,7 @@ jobs: echo "::group::Verify Node.js Outputs" echo "Node.js Version: ${{ steps.test-all.outputs.node-version }}" echo "Node.js Cache Hit: ${{ steps.test-all.outputs.node-cache-hit }}" + echo "Node.js Registry URL: ${{ steps.test-all.outputs.node-registry-url }}" node -v npm -v echo "::endgroup::" @@ -114,6 +119,25 @@ jobs: gomplate --version echo "::endgroup::" + test-egress-policy: + name: Test Egress Policy Input + runs-on: ubuntu-latest + steps: + - name: Harden Runner + id: harden-runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + egress-policy: audit + + - name: Checkout Repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Run Action with Explicit Egress Policy + uses: ./ + id: test-egress-policy + with: + egress-policy: audit + test-checkout: name: Test Checkout Action runs-on: ubuntu-latest diff --git a/README.md b/README.md index 1ab9a1e..9105b9a 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Common steps for initializing a job for GitHub actions. This composite action co ## Features -- Security hardening with Step Security's Harden Runner +- Security hardening with Step Security's Harden Runner (configurable egress policy) - Repository checkout with configurable options - Multi-language support (Node.js, Java, Python, Go, Rust, Swift) - Build tool setup (Gradle, Task, gomplate) @@ -25,15 +25,23 @@ Common steps for initializing a job for GitHub actions. This composite action co ### Inputs +**Harden Runner** + +| Input | Description | Required | Default | Options | +|---------------|----------------------------------------------|----------|---------|-------------------| +| egress-policy | Egress policy to apply to the runner | No | audit | `audit`/`block` | + **Repository Checkout** -| Input | Description | Required | Default | Options | -|----------------------|----------------------------------------------------------|----------|---------|----------------------------| -| checkout | Whether to checkout the repository | No | - | `true`/`false` | -| checkout-ref | The branch, tag or SHA to checkout | No | - | any `branch`/`tag`/`SHA` | -| checkout-token | Personal access token (PAT) used to fetch the repository | No | - | `Token` used for checkout | -| checkout-fetch-depth | Depth of commit history to fetch | No | 1 | `0` (full)/`1`/`2`/... | -| checkout-submodules | Whether to fetch submodules | No | false | `true`/`false`/`recursive` | +| Input | Description | Required | Default | Options | +|----------------------|------------------------------------------------------------------------------|----------|---------|----------------------------| +| checkout | Whether to checkout the repository | No | - | `true`/`false` | +| checkout-ref | The branch, tag or SHA to checkout | No | - | any `branch`/`tag`/`SHA` | +| checkout-token | Personal access token (PAT) used to fetch the repository | No | - | `Token` used for checkout | +| checkout-path | Path to checkout the repository into (relative to `${GITHUB_WORKSPACE}`) | No | `.` | any relative path | +| checkout-fetch-depth | Depth of commit history to fetch | No | 1 | `0` (full)/`1`/`2`/... | +| checkout-persist | Whether to configure the token with the local git config | No | true | `true`/`false` | +| checkout-submodules | Whether to fetch submodules | No | false | `true`/`false`/`recursive` | **Java** @@ -63,12 +71,13 @@ Common steps for initializing a job for GitHub actions. This composite action co **Node.js** -| Input | Description | Required | Default | -|-------------------|-------------------------------------------------|----------|---------| -| setup-node | Whether to setup Node.js | No | - | -| node-version | Node.js version to use | No | - | -| node-cache | Package manager for caching (npm, yarn, pnpm) | No | - | -| node-check-latest | Whether to check for the latest Node.js version | No | - | +| Input | Description | Required | Default | +|-------------------|----------------------------------------------------------------------|----------|-------------------------------| +| setup-node | Whether to setup Node.js | No | - | +| node-version | Node.js version to use | No | - | +| node-cache | Package manager for caching (npm, yarn, pnpm) | No | - | +| node-check-latest | Whether to check for the latest Node.js version | No | - | +| node-registry | Registry URL to use for Node.js package installation and publishing | No | `https://registry.npmjs.org/` | **Python** @@ -118,8 +127,8 @@ Common steps for initializing a job for GitHub actions. This composite action co **Gomplate** -| Input | Description | Required | Default | -|----------------|--------------------------|----------|---------| +| Input | Description | Required | Default | +|----------------|---------------------------|----------|---------| | setup-gomplate | Whether to setup gomplate | No | false | > [!NOTE] @@ -131,6 +140,7 @@ Common steps for initializing a job for GitHub actions. This composite action co - `checkout-ref`: The branch, tag or SHA that was checked out - `checkout-commit`: The commit SHA that was checked out +- `checkout-path`: The path that the repository was checked out into (relative to `$GITHUB_WORKSPACE`) **Java Outputs** @@ -146,8 +156,10 @@ Common steps for initializing a job for GitHub actions. This composite action co - `gradle-version`: Version of Gradle that was setup **Node.js Outputs** + - `node-cache-hit`: Boolean indicating if cache was hit - `node-version`: The installed node version +- `node-registry-url`: The registry URL used for package installation and publishing **Python Outputs** @@ -221,5 +233,17 @@ Common steps for initializing a job for GitHub actions. This composite action co python-cache: 'pip' ``` +**Blocking Egress Traffic** + +By default the Harden Runner step runs in `audit` mode. Set `egress-policy` to `block` to deny any +network traffic that has not been explicitly allowed by the runner's policy. + +```yaml +- uses: PandasWhoCode/initialize-github-job@v1 + with: + egress-policy: 'block' + checkout: 'true' +``` + ## License This repository is licensed under the Apache 2.0 License. See the [LICENSE](LICENSE) file for details. diff --git a/action.yml b/action.yml index 8aea225..9f80ca7 100644 --- a/action.yml +++ b/action.yml @@ -3,6 +3,10 @@ description: 'Common steps for initializing a job for GitHub actions' author: 'PandasWhoCode' inputs: + egress-policy: + description: 'Egress policy to apply to the runner (audit or block)' + required: false + default: 'audit' checkout: description: 'Whether to checkout the repository' required: false @@ -12,10 +16,18 @@ inputs: checkout-token: description: 'Personal access token (PAT) used to fetch the repository and set up task' required: false + checkout-path: + description: 'The path to checkout the repository into (relative to ${GITHUB_WORKSPACE})' + required: false + default: '.' checkout-fetch-depth: description: 'Depth of commit history to fetch' required: false default: '1' + checkout-persist: + description: 'Whether to configure the token with the local git config' + required: false + default: 'true' checkout-submodules: description: 'Whether to checkout submodules (true/false/recursive)' default: 'false' @@ -148,6 +160,9 @@ outputs: checkout-commit: description: 'The commit SHA that was checked out' value: ${{ steps.checkout-code.outputs.commit }} + checkout-path: + description: 'The path that the repository was checked out into (relative to $GITHUB_WORKSPACE)' + value: ${{ steps.checkout-code.outputs.path }} java-distribution: description: 'Distribution of Java that has been installed' value: ${{ steps.setup-java.outputs.distribution }} @@ -217,7 +232,7 @@ runs: id: harden-runner uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 with: - egress-policy: audit + egress-policy: ${{ inputs.egress-policy }} - name: Checkout Code Parameters id: checkout-params @@ -239,6 +254,8 @@ runs: submodules: ${{ inputs.checkout-submodules }} ref: ${{ inputs.checkout-ref }} token: ${{ inputs.checkout-token }} + path: ${{ inputs.checkout-path }} + persist-credentials: ${{ inputs.checkout-persist }} - name: Set Up Java Parameters id: setup-java-params From 5b8edc9a3dcd6f89ec2433b7af57aff15a0e6c2f Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 19 May 2026 14:57:39 -0500 Subject: [PATCH 2/2] chore: Update checkout output Signed-off-by: Roger Barker --- .github/workflows/test.yml | 1 - README.md | 1 - action.yml | 3 --- 3 files changed, 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 21e66f8..25cb32e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -69,7 +69,6 @@ jobs: echo "::group::Verify Checkout Outputs" echo "Checkout Ref: ${{ steps.test-all.outputs.checkout-ref }}" echo "Checkout Commit: ${{ steps.test-all.outputs.checkout-commit }}" - echo "Checkout Path: ${{ steps.test-all.outputs.checkout-path }}" echo "::endgroup::" echo "::group::Verify Java Outputs" echo "Java Distribution: ${{ steps.test-all.outputs.java-distribution }}" diff --git a/README.md b/README.md index 9105b9a..093c79c 100644 --- a/README.md +++ b/README.md @@ -140,7 +140,6 @@ Common steps for initializing a job for GitHub actions. This composite action co - `checkout-ref`: The branch, tag or SHA that was checked out - `checkout-commit`: The commit SHA that was checked out -- `checkout-path`: The path that the repository was checked out into (relative to `$GITHUB_WORKSPACE`) **Java Outputs** diff --git a/action.yml b/action.yml index 9f80ca7..e0016ba 100644 --- a/action.yml +++ b/action.yml @@ -160,9 +160,6 @@ outputs: checkout-commit: description: 'The commit SHA that was checked out' value: ${{ steps.checkout-code.outputs.commit }} - checkout-path: - description: 'The path that the repository was checked out into (relative to $GITHUB_WORKSPACE)' - value: ${{ steps.checkout-code.outputs.path }} java-distribution: description: 'Distribution of Java that has been installed' value: ${{ steps.setup-java.outputs.distribution }}