I noticed that downloads.gradle-dn.com is no longer a valid domain. Since it was in the block policy but could not be resolved, harden-runner was reverting the policy.
Couple more were not needed that I have removed:
artifactcache.actions.githubusercontent.com:443 does not have to be allowed explicitly, as it is always allowed
aw97acprodeus1file2.blob.core.windows.net:443 is a cache endpoint and does not have to be allowed explicitly, as harden-runner auto-detects cache endpoints and adds to allowed list.
When I ran this job in a fork in audit mode, it needed few more endpoints, which I have added.
Related to https://github.com/step-security/harden-runner/issues/167
I noticed that
downloads.gradle-dn.comis no longer a valid domain. Since it was in the block policy but could not be resolved, harden-runner was reverting the policy.Couple more were not needed that I have removed:
artifactcache.actions.githubusercontent.com:443does not have to be allowed explicitly, as it is always allowedaw97acprodeus1file2.blob.core.windows.net:443is a cache endpoint and does not have to be allowed explicitly, as harden-runner auto-detects cache endpoints and adds to allowed list.When I ran this job in a fork in audit mode, it needed few more endpoints, which I have added.
I have also bumped the harden-runner version.