Harden workflow egress policies and pin @playwright/mcp version#694
Harden workflow egress policies and pin @playwright/mcp version#694
Conversation
- Upgrade egress-policy from audit to block in quality-checks.yml (4 jobs) - Upgrade egress-policy from audit to block in javascript-testing.yml (4 jobs) - Upgrade egress-policy from audit to block in lighthouse-ci.yml (1 job) - Add explicit allowed-endpoints for each job based on required network access - Pin @playwright/mcp@latest to @playwright/mcp@0.0.68 in 3 news workflow .md files - Update corresponding .lock.yml files to match pinned playwright/mcp version Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
github-actions
bot
added
documentation
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
There was a problem hiding this comment.
Pull request overview
Hardens select GitHub Actions workflows by switching Step Security’s runner hardening from audit-only to enforced egress blocking with allowlists, and reduces supply-chain risk by pinning @playwright/mcp to an explicit version in news workflows.
Changes:
- Switched
egress-policyfromaudittoblockwithallowed-endpointsinquality-checks.yml,javascript-testing.yml, andlighthouse-ci.yml. - Pinned
@playwright/mcpfrom@latestto@0.0.68across three news workflow sources and their compiled lock files.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/quality-checks.yml | Enforces blocked egress with per-job endpoint allowlists (plus a summary job allowlist). |
| .github/workflows/javascript-testing.yml | Enforces blocked egress with allowlists, including Cypress CDN for the Cypress job. |
| .github/workflows/lighthouse-ci.yml | Enforces blocked egress with allowlists for site + GCS usage. |
| .github/workflows/news-realtime-monitor.md | Pins @playwright/mcp version in MCP tool configuration. |
| .github/workflows/news-realtime-monitor.lock.yml | Updates compiled workflow to match pinned @playwright/mcp version. |
| .github/workflows/news-evening-analysis.md | Pins @playwright/mcp version in MCP tool configuration. |
| .github/workflows/news-evening-analysis.lock.yml | Updates compiled workflow to match pinned @playwright/mcp version. |
| .github/workflows/news-article-generator.md | Pins @playwright/mcp version in MCP tool configuration. |
| .github/workflows/news-article-generator.lock.yml | Updates compiled workflow to match pinned @playwright/mcp version. |
.github/workflows/quality-checks.yml
Outdated
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | ||
| with: | ||
| egress-policy: audit | ||
| egress-policy: block | ||
| allowed-endpoints: > | ||
| api.github.com:443 | ||
| github.com:443 |
There was a problem hiding this comment.
The step name says 'Audit all outbound calls' but the config is now egress-policy: block. Rename the step to reflect the enforced behavior (e.g., 'Harden runner (block outbound calls)') to avoid confusion when reading logs.
There was a problem hiding this comment.
Fixed in 0fb0dc7 — renamed to Harden Runner (block outbound calls).
| egress-policy: block | ||
| allowed-endpoints: > | ||
| api.github.com:443 | ||
| github.com:443 | ||
| nodejs.org:443 | ||
| objects.githubusercontent.com:443 | ||
| registry.npmjs.org:443 |
There was a problem hiding this comment.
Using YAML folded style (>) will fold newlines into spaces, producing a single-line string. If step-security/harden-runner expects newline-delimited endpoints, this can cause the allowlist to be misparsed. Prefer literal style (|) to preserve line breaks for endpoint lists.
There was a problem hiding this comment.
Fixed in 0fb0dc7 — switched all allowed-endpoints blocks from folded style (>) to literal style (|) across all three workflows.
| egress-policy: block | ||
| allowed-endpoints: > | ||
| api.github.com:443 | ||
| github.com:443 |
There was a problem hiding this comment.
actions/checkout typically downloads the repository archive from codeload.github.com (not github.com). With egress-policy: block, the checkout step can fail unless codeload.github.com:443 is included in allowed-endpoints for jobs that use actions/checkout.
| github.com:443 | |
| github.com:443 | |
| codeload.github.com:443 |
There was a problem hiding this comment.
Fixed in 0fb0dc7 — added codeload.github.com:443 to every job that uses actions/checkout (3 jobs in quality-checks.yml, 3 in javascript-testing.yml, 1 in lighthouse-ci.yml).
|
@copilot apply changes based on the comments in this thread |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
- Fix step name: 'Harden the runner (Audit all outbound calls)' -> 'Harden Runner (block outbound calls)' - Change allowed-endpoints YAML from folded style (>) to literal style (|) in all 3 workflows - Add codeload.github.com:443 to all jobs using actions/checkout (9 jobs across 3 workflows) Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
| objects.githubusercontent.com:443 | ||
| registry.npmjs.org:443 | ||
| riksdagsmonitor.com:443 | ||
| www.riksdagen.se:443 |
There was a problem hiding this comment.
The link-checker job runs linkinator https://riksdagsmonitor.com/ and (per the current --skip regex) will attempt to validate external links on the homepage beyond the riksdagen.se domains (e.g., links to www.hack23.com and www.linkedin.com are present in index.html). With egress-policy: block, those requests will be blocked and inflate the external-links report with false failures. Either add the relevant domains (e.g., www.hack23.com:443, www.linkedin.com:443) to allowed-endpoints, or extend the --skip pattern to exclude them so the report reflects real link issues rather than egress blocks.
| www.riksdagen.se:443 | |
| www.riksdagen.se:443 | |
| www.hack23.com:443 | |
| www.linkedin.com:443 |
There was a problem hiding this comment.
Fixed in c620e77 — added www.hack23.com:443 and www.linkedin.com:443 as requested, plus all other external domains linked from index.html that would be blocked: cia.sourceforge.io:443, data.worldbank.org:443, raw.githubusercontent.com:443, www.esv.se:443, and www.val.se:443.
|
@copilot apply changes based on the comments in this thread |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
Add all external domains linked from riksdagsmonitor.com that the linkinator external check would visit: - www.hack23.com:443 and www.linkedin.com:443 (per review comment) - cia.sourceforge.io:443, data.worldbank.org:443 - raw.githubusercontent.com:443, www.esv.se:443, www.val.se:443 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Done in c620e77 — added all missing external domains to the link-checker's |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
.github/workflows/quality-checks.yml
Outdated
| allowed-endpoints: > | ||
| api.github.com:443 | ||
| github.com:443 |
There was a problem hiding this comment.
The summary job appears to only emit a local summary (no checkout/install shown in this hunk), but it still permits outbound access to GitHub/API. If the job truly doesn’t require network egress, tightening this to an empty allowlist (or removing allowed-endpoints entirely, depending on the action’s expectations) would reduce the allowed attack surface.
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 |
There was a problem hiding this comment.
Fixed in 813c03e — removed the allowed-endpoints block entirely from the summary job. It only runs echo commands with no network access needed.
| egress-policy: block | ||
| allowed-endpoints: > | ||
| api.github.com:443 | ||
| cdn.cypress.io:443 | ||
| codeload.github.com:443 | ||
| github.com:443 | ||
| nodejs.org:443 | ||
| objects.githubusercontent.com:443 | ||
| registry.npmjs.org:443 |
There was a problem hiding this comment.
Cypress installs commonly download the binary from download.cypress.io (and/or related hosts) rather than only cdn.cypress.io. If this job performs a fresh Cypress install/download, the current allowlist may block it. Consider adding download.cypress.io:443 (or confirming the exact host(s) used by the Cypress download in this workflow) to avoid intermittent failures on cold caches.
There was a problem hiding this comment.
Fixed in 813c03e — added download.cypress.io:443 to the multi-language-sanity job's allowlist alongside the existing cdn.cypress.io:443.
|
@copilot apply changes based on the comments in this thread |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
- Remove allowed-endpoints from summary job in quality-checks.yml: the job only runs echo commands and needs zero external network access - Add download.cypress.io:443 to multi-language-sanity Cypress job in javascript-testing.yml: Cypress binary downloads can originate from download.cypress.io as well as cdn.cypress.io Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Done in 813c03e — both changes applied: summary job |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
Hardens GitHub Actions workflows by upgrading from
egress-policy: audittoegress-policy: blockwith explicit allowed endpoints, and reduces supply chain risk by pinning@playwright/mcp@latestto a specific version.Changes Made
Egress Policy Hardening
egress-policyfromaudittoblockwithallowed-endpointsinquality-checks.yml(4 jobs),javascript-testing.yml(4 jobs), andlighthouse-ci.yml(1 job)>) forallowed-endpointsto match the workingdeploy-s3.ymlreference pattern — the Go harden-runner agent v0.14.3 parses endpoints using spaces as delimiters, so>(folded) is required;|(literal) bundles all entries into one invalid tokencodeload.github.com:443to all jobs usingactions/checkoutAudit all outbound calls→Harden Runner (block outbound calls)to reflect enforced behaviorapt-get install jqstep (jq is pre-installed onubuntu-latest), eliminating thedeb.debian.org:80plaintext HTTP endpoint from the allowlistallowed-endpointsentirely from the summary job inquality-checks.yml— it only runsechocommands and requires zero external network accessAllowlist Completeness
data.riksdagen.se:443andwww.riksdagen.se:443to the link-checker job inquality-checks.ymlfonts.googleapis.com:443andfonts.gstatic.com:443tolighthouse-ci.yml(the site loads Google Fonts; required for accurate Lighthouse audit results)riksdagsmonitor.comto the link-checker'sallowed-endpoints:www.hack23.com:443,www.linkedin.com:443,cia.sourceforge.io:443,data.worldbank.org:443,raw.githubusercontent.com:443,www.esv.se:443, andwww.val.se:443download.cypress.io:443to the multi-language-sanity Cypress job injavascript-testing.yml— Cypress binary downloads can originate from this host as well ascdn.cypress.ioDependency Pinning
@playwright/mcpfrom@latestto@0.0.68innews-article-generator.md,news-evening-analysis.md, andnews-realtime-monitor.md.lock.ymlfiles to match the pinned versionSecurity Impact
@playwright/mcpdeb.debian.org:80) from all allowlistsTesting
Original prompt
🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.