Restrictions in outgoing traffic

macie commented 9 months ago

Action step-security/harden-runner helps prevent known security breaches in CI/CD environments.

By default, it restricts DNS traffic which causes failure during VM setup:

Setting up VM
exec ssh: mkdir -p /home/runner/work && ln -s /home/runner/work/  work
/usr/bin/bash /home/runner/work/_actions/vmactions/freebsd-vm/v1.0.4/run.sh execSSH
Config file: freebsd-14.0.conf
Pseudo-terminal will not be allocated because stdin is not a terminal.
exec shell: bash run.sh installRsyncInVM
/usr/bin/bash
Config file: freebsd-14.0.conf
Updating FreeBSD repository catalogue...
pkg: No SRV record found for the repo 'FreeBSD'
pkg: packagesite URL error for pkg+http://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/packagesite.pkg -- pkg+:// implies SRV mirror type
pkg: packagesite URL error for pkg+http://pkg.freebsd.org/FreeBSD:14:amd64/quarterly/packagesite.txz -- pkg+:// implies SRV mirror type
Unable to update repository FreeBSD
Error updating repositories!
exec shell: bash run.sh showDebugInfo

I've found, that changing mirror_type and URL format in package repos config should help, but I didn't verify it.

Steps to reproduce

Minimal reproducible example:

name: Hardened Runner & FreeBSD
on: [push]

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit

      - name: Run command inside VM
        uses: vmactions/freebsd-vm@v1.0.4
        with:
          run: |
            echo 'It works!'

Neilpang commented 9 months ago

please try again with the latest release.

macie commented 9 months ago

I can confirm that with version v1.0.5 (d139f0eaa5d47d9fcc44f7ab1748574475d89565) I can use step-security/harden-runner action.

Thanks for very fast response!

vmactions / freebsd-vm

Restrictions in outgoing traffic #75

Steps to reproduce