From b762c348604984113c3284a55c29789463528b81 Mon Sep 17 00:00:00 2001
From: Nathaniel Landau <natelandau@users.noreply.github.com>
Date: Fri, 5 May 2023 14:51:32 -0400
Subject: [PATCH] ci: update harden security runner (#42)

---
 .github/workflows/automated-tests.yml      | 3 ++-
 .github/workflows/commit-linter.yml        | 4 ++--
 .github/workflows/create-release.yml       | 3 ++-
 .github/workflows/devcontainer-checker.yml | 8 +++-----
 .github/workflows/labeler.yml              | 4 ++--
 .github/workflows/pr-linter.yml            | 4 ++--
 .github/workflows/pypi-release.yml         | 3 ++-
 7 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/automated-tests.yml b/.github/workflows/automated-tests.yml
index 1a4aa1b..f979d01 100644
--- a/.github/workflows/automated-tests.yml
+++ b/.github/workflows/automated-tests.yml
@@ -38,7 +38,8 @@ jobs:
             matrix:
                 python-version: ["3.10", "3.11"]
         steps:
-            - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   disable-sudo: true
diff --git a/.github/workflows/commit-linter.yml b/.github/workflows/commit-linter.yml
index f6b9a14..ec96037 100644
--- a/.github/workflows/commit-linter.yml
+++ b/.github/workflows/commit-linter.yml
@@ -22,8 +22,8 @@ jobs:
             pull-requests: read # for wagoid/commitlint-github-action to get commits in PR
         runs-on: ubuntu-latest
         steps:
-            - name: Harden Runner
-              uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   allowed-endpoints: >
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index cb01da5..26d37af 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -22,7 +22,8 @@ jobs:
             matrix:
                 python-version: ["3.11"]
         steps:
-            - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   disable-sudo: true
diff --git a/.github/workflows/devcontainer-checker.yml b/.github/workflows/devcontainer-checker.yml
index 4436405..b71ce75 100644
--- a/.github/workflows/devcontainer-checker.yml
+++ b/.github/workflows/devcontainer-checker.yml
@@ -27,17 +27,17 @@ jobs:
         runs-on: ubuntu-latest
 
         steps:
-            - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   allowed-endpoints: >
+                      *.data.mcr.microsoft.com:443
                       api.snapcraft.io:443
                       auth.docker.io:443
-                      centralus.data.mcr.microsoft.com:443
                       deb.debian.org:443
                       deb.debian.org:80
                       dl.yarnpkg.com:443
-                      eastus.data.mcr.microsoft.com:443
                       files.pythonhosted.org:443
                       ghcr.io:443
                       git.rootprojects.org:443
@@ -51,8 +51,6 @@ jobs:
                       registry-1.docker.io:443
                       registry.npmjs.org:443
                       webi.sh:443
-                      westcentralus.data.mcr.microsoft.com:443
-                      westus.data.mcr.microsoft.com:443
 
             - name: Checkout
               uses: actions/checkout@v3
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 82c40d1..6216744 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -10,8 +10,8 @@ jobs:
             pull-requests: write
         runs-on: ubuntu-latest
         steps:
-            - name: Harden Runner
-              uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   allowed-endpoints: >
diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
index ac1a8b3..d4f204d 100644
--- a/.github/workflows/pr-linter.yml
+++ b/.github/workflows/pr-linter.yml
@@ -21,8 +21,8 @@ jobs:
         runs-on: ubuntu-latest
 
         steps:
-            - name: Harden Runner
-              uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   allowed-endpoints: >
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
index 17140be..9e5f77b 100644
--- a/.github/workflows/pypi-release.yml
+++ b/.github/workflows/pypi-release.yml
@@ -18,7 +18,8 @@ jobs:
             matrix:
                 python-version: ["3.11"]
         steps:
-            - uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1
+            - name: Harden Security Runner
+              uses: step-security/harden-runner@v2
               with:
                   egress-policy: block
                   disable-sudo: true