diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index d59a63d..fca6280 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -81,13 +81,14 @@ jobs: disable-sudo: ${{ inputs.disable-sudo }} egress-policy: block allowed-endpoints: > + *.githubapp.com:443 + *.trivy.dev:443 api.github.com:443 auth.docker.io:443 download.docker.com:443 fulcio.sigstore.dev:443 ghcr.io:443 github.com:443 - githubapp.com:443 index.docker.io:443 mirror.gcr.io:443 objects.githubusercontent.com:443 @@ -97,7 +98,6 @@ jobs: registry-1.docker.io:443 rekor.sigstore.dev:443 release-assets.githubusercontent.com:443 - trivy.dev:443 ${{ inputs.egress-policy-allowlist }} - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/local-auto-tagger-docker-bp.yml b/.github/workflows/local-auto-tagger-docker-bp.yml index 9dcb4ac..85061fd 100644 --- a/.github/workflows/local-auto-tagger-docker-bp.yml +++ b/.github/workflows/local-auto-tagger-docker-bp.yml @@ -16,6 +16,8 @@ jobs: uses: notdodo/github-actions/.github/workflows/docker-build-and-push.yml@docker-build-and-push-v0 with: egress-policy-allowlist: > + *.githubapp.com:443 + *.trivy.dev:443 dl-cdn.alpinelinux.org:443 files.pythonhosted.org:443 pypi.org:443 diff --git a/.github/workflows/local-python-ci.yml b/.github/workflows/local-python-ci.yml index be4cc28..f7d77cb 100644 --- a/.github/workflows/local-python-ci.yml +++ b/.github/workflows/local-python-ci.yml @@ -16,7 +16,8 @@ concurrency: jobs: python-ci: - permissions: {} + permissions: + contents: read uses: notdodo/github-actions/.github/workflows/python-ci.yml@python-ci-v0 with: working-directory: auto-tagger