From 79f377b30d9a9f74f59eefb8356ef0bcb11e8edd Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Thu, 3 Mar 2022 07:22:46 -0800
Subject: [PATCH 1/2] security: behavior analysis of dependencies

---
 .github/workflows/CI.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index 8247d049616510..d5859cbf12563a 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -1,11 +1,19 @@
 name: CI
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v1
+        with:
+          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v1
         with:

From 6323f8d65ef5f734e6889b97534df79e3d95ad39 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Thu, 3 Mar 2022 07:32:49 -0800
Subject: [PATCH 2/2] security: add allowed endpoints

---
 .github/workflows/CI.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml
index d5859cbf12563a..e306df53c09140 100644
--- a/.github/workflows/CI.yml
+++ b/.github/workflows/CI.yml
@@ -12,7 +12,13 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@v1
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          disable-telemetry: true
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            raw.githubusercontent.com:443
+            registry.npmjs.org:443
 
       - uses: actions/checkout@v2
       - uses: actions/setup-node@v1