PandasWhoCode · rbarker-dev · May 19, 2026 · May 19, 2026 · May 19, 2026
@@ -36,10 +36,13 @@ jobs:
         uses: ./
         id: test-all
         with:
+          egress-policy: audit
           checkout: true
           checkout-fetch-depth: 0
           checkout-ref: main
           checkout-token: ${{ secrets.GITHUB_TOKEN }}
+          checkout-path: '.'
+          checkout-persist: true
           checkout-submodules: false
           setup-java: true
           java-distribution: 'temurin'
@@ -83,6 +86,7 @@ jobs:
           echo "::group::Verify Node.js Outputs"
             echo "Node.js Version: ${{ steps.test-all.outputs.node-version }}"
             echo "Node.js Cache Hit: ${{ steps.test-all.outputs.node-cache-hit }}"
+            echo "Node.js Registry URL: ${{ steps.test-all.outputs.node-registry-url }}"
             node -v
             npm -v
           echo "::endgroup::"
@@ -114,6 +118,25 @@ jobs:
             gomplate --version
           echo "::endgroup::"
 
+  test-egress-policy:
+    name: Test Egress Policy Input
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        id: harden-runner
+        uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
+        with:
+          egress-policy: audit
+
+      - name: Checkout Repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run Action with Explicit Egress Policy
+        uses: ./
+        id: test-egress-policy
+        with:
+          egress-policy: audit
+
   test-checkout:
     name: Test Checkout Action
     runs-on: ubuntu-latest

@@ -4,7 +4,7 @@ Common steps for initializing a job for GitHub actions. This composite action co
 
 ## Features
 
-- Security hardening with Step Security's Harden Runner
+- Security hardening with Step Security's Harden Runner (configurable egress policy)
 - Repository checkout with configurable options
 - Multi-language support (Node.js, Java, Python, Go, Rust, Swift)
 - Build tool setup (Gradle, Task, gomplate)
@@ -25,15 +25,23 @@ Common steps for initializing a job for GitHub actions. This composite action co
 
 ### Inputs
 
+**Harden Runner**
+
+| Input         | Description                                  | Required | Default | Options           |
+|---------------|----------------------------------------------|----------|---------|-------------------|
+| egress-policy | Egress policy to apply to the runner         | No       | audit   | `audit`/`block`   |
+
 **Repository Checkout**
 
-| Input                | Description                                              | Required | Default | Options                    |
-|----------------------|----------------------------------------------------------|----------|---------|----------------------------|
-| checkout             | Whether to checkout the repository                       | No       | -       | `true`/`false`             |
-| checkout-ref         | The branch, tag or SHA to checkout                       | No       | -       | any `branch`/`tag`/`SHA`   |
-| checkout-token       | Personal access token (PAT) used to fetch the repository | No       | -       | `Token` used for checkout  |
-| checkout-fetch-depth | Depth of commit history to fetch                         | No       | 1       | `0` (full)/`1`/`2`/...     |
-| checkout-submodules  | Whether to fetch submodules                              | No       | false   | `true`/`false`/`recursive` |
+| Input                | Description                                                                  | Required | Default | Options                    |
+|----------------------|------------------------------------------------------------------------------|----------|---------|----------------------------|
+| checkout             | Whether to checkout the repository                                           | No       | -       | `true`/`false`             |
+| checkout-ref         | The branch, tag or SHA to checkout                                           | No       | -       | any `branch`/`tag`/`SHA`   |
+| checkout-token       | Personal access token (PAT) used to fetch the repository                     | No       | -       | `Token` used for checkout  |
+| checkout-path        | Path to checkout the repository into (relative to `${GITHUB_WORKSPACE}`)     | No       | `.`     | any relative path          |
+| checkout-fetch-depth | Depth of commit history to fetch                                             | No       | 1       | `0` (full)/`1`/`2`/...     |
+| checkout-persist     | Whether to configure the token with the local git config                     | No       | true    | `true`/`false`             |
+| checkout-submodules  | Whether to fetch submodules                                                  | No       | false   | `true`/`false`/`recursive` |
 
 **Java**
 
@@ -63,12 +71,13 @@ Common steps for initializing a job for GitHub actions. This composite action co
 
 **Node.js**
 
-| Input             | Description                                     | Required | Default |
-|-------------------|-------------------------------------------------|----------|---------|
-| setup-node        | Whether to setup Node.js                        | No       | -       |
-| node-version      | Node.js version to use                          | No       | -       |
-| node-cache        | Package manager for caching (npm, yarn, pnpm)   | No       | -       |
-| node-check-latest | Whether to check for the latest Node.js version | No       | -       |
+| Input             | Description                                                          | Required | Default                       |
+|-------------------|----------------------------------------------------------------------|----------|-------------------------------|
+| setup-node        | Whether to setup Node.js                                             | No       | -                             |
+| node-version      | Node.js version to use                                               | No       | -                             |
+| node-cache        | Package manager for caching (npm, yarn, pnpm)                        | No       | -                             |
+| node-check-latest | Whether to check for the latest Node.js version                      | No       | -                             |
+| node-registry     | Registry URL to use for Node.js package installation and publishing  | No       | `https://registry.npmjs.org/` |
 
 **Python**
 
@@ -118,8 +127,8 @@ Common steps for initializing a job for GitHub actions. This composite action co
 
 **Gomplate**
 
-| Input          | Description              | Required | Default |
-|----------------|--------------------------|----------|---------|
+| Input          | Description               | Required | Default |
+|----------------|---------------------------|----------|---------|
 | setup-gomplate | Whether to setup gomplate | No       | false   |
 
 > [!NOTE]
@@ -146,8 +155,10 @@ Common steps for initializing a job for GitHub actions. This composite action co
 - `gradle-version`: Version of Gradle that was setup
 
 **Node.js Outputs**
+
 - `node-cache-hit`: Boolean indicating if cache was hit
 - `node-version`: The installed node version
+- `node-registry-url`: The registry URL used for package installation and publishing
 
 **Python Outputs**
 
@@ -221,5 +232,17 @@ Common steps for initializing a job for GitHub actions. This composite action co
     python-cache: 'pip'
 ```
 
+**Blocking Egress Traffic**
+
+By default the Harden Runner step runs in `audit` mode. Set `egress-policy` to `block` to deny any
+network traffic that has not been explicitly allowed by the runner's policy.
+
+```yaml
+- uses: PandasWhoCode/initialize-github-job@v1
+  with:
+    egress-policy: 'block'
+    checkout: 'true'
+```
+
 ## License
 This repository is licensed under the Apache 2.0 License. See the [LICENSE](LICENSE) file for details.
@@ -3,6 +3,10 @@ description: 'Common steps for initializing a job for GitHub actions'
 author: 'PandasWhoCode'
 
 inputs:
+  egress-policy:
+    description: 'Egress policy to apply to the runner (audit or block)'
+    required: false
+    default: 'audit'
   checkout:
     description: 'Whether to checkout the repository'
     required: false
@@ -12,10 +16,18 @@ inputs:
   checkout-token:
     description: 'Personal access token (PAT) used to fetch the repository and set up task'
     required: false
+  checkout-path:
+    description: 'The path to checkout the repository into (relative to ${GITHUB_WORKSPACE})'
+    required: false
+    default: '.'
   checkout-fetch-depth:
     description: 'Depth of commit history to fetch'
     required: false
     default: '1'
+  checkout-persist:
+    description: 'Whether to configure the token with the local git config'
+    required: false
+    default: 'true'
   checkout-submodules:
     description: 'Whether to checkout submodules (true/false/recursive)'
     default: 'false'
@@ -217,7 +229,7 @@ runs:
       id: harden-runner
       uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
       with:
-        egress-policy: audit
+        egress-policy: ${{ inputs.egress-policy }}
 
     - name: Checkout Code Parameters
       id: checkout-params
@@ -239,6 +251,8 @@ runs:
         submodules: ${{ inputs.checkout-submodules }}
         ref: ${{ inputs.checkout-ref }}
         token: ${{ inputs.checkout-token }}
+        path: ${{ inputs.checkout-path }}
+        persist-credentials: ${{ inputs.checkout-persist }}
 
     - name: Set Up Java Parameters
       id: setup-java-params