Skip to content

meta: update scorecard egress-policy from audit to block #61738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ronitsabhaya75 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

meta: update scorecard egress-policy from audit to block #61738

Ronitsabhaya75 wants to merge 1 commit into from
+1 −1

Conversation

@Ronitsabhaya75
Copy link
Contributor

@Ronitsabhaya75 Ronitsabhaya75 commented Feb 8, 2026

Updates the OpenSSF Scorecard workflow to enforce stricter egress control by changing the harden-runner policy from audit to block.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 8, 2026

Review requested:

  • @nodejs/actions

@nodejs-github-bot nodejs-github-bot added the meta Issues and PRs related to the general management of the project. label Feb 8, 2026
@aduh95
Copy link
Contributor

aduh95 commented Feb 8, 2026

/cc @mateonunez

mateonunez
mateonunez reviewed Feb 9, 2026
View reviewed changes
.github/workflows/scorecard.yml
uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
egress-policy: block
Copy link
Contributor

@mateonunez mateonunez Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @Ronitsabhaya75, as we transition from audit to block mode, we must ensure the allowed-endpoints list is exhaustive to avoid breaking the CI pipeline

Copy link
Contributor Author

@Ronitsabhaya75 Ronitsabhaya75 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mateonunez Good point! Since we've run in audit mode since November 2025, harden-runner has auto-detected the required endpoints and will allow them in block mode. Let me know if you'd prefer an explicit allowed-endpoints list for clarity.

Copy link
Contributor

@mateonunez mateonunez Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think is better to have an explicit allowed-endpoints for clarity. What do you think, @aduh95?

Copy link
Contributor Author

@Ronitsabhaya75 Ronitsabhaya75 Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mateonunez i think it would be better to have explicit conditions. So that we can use audit and in meantime if condition fails then we can block.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mateonunez mateonunez mateonunez left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

meta Issues and PRs related to the general management of the project.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ronitsabhaya75 @nodejs-github-bot @aduh95 @mateonunez