diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml index 1476c0290..f9b81cd6d 100644 --- a/.github/workflows/javascript-testing.yml +++ b/.github/workflows/javascript-testing.yml @@ -49,7 +49,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + codeload.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -91,7 +98,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + codeload.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -132,7 +146,16 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + cdn.cypress.io:443 + codeload.github.com:443 + download.cypress.io:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -182,7 +205,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Test Results Summary run: | diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index 69b57a2f3..457ffb106 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -29,7 +29,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + codeload.github.com:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + riksdagsmonitor.com:443 + storage.googleapis.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/news-article-generator.lock.yml b/.github/workflows/news-article-generator.lock.yml index eec5b470e..67221ecfb 100644 --- a/.github/workflows/news-article-generator.lock.yml +++ b/.github/workflows/news-article-generator.lock.yml @@ -677,7 +677,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-article-generator.md b/.github/workflows/news-article-generator.md index 45b4c5efa..6782cf816 100644 --- a/.github/workflows/news-article-generator.md +++ b/.github/workflows/news-article-generator.md @@ -59,7 +59,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/news-evening-analysis.lock.yml b/.github/workflows/news-evening-analysis.lock.yml index 73c8d2808..2d2c57a0e 100644 --- a/.github/workflows/news-evening-analysis.lock.yml +++ b/.github/workflows/news-evening-analysis.lock.yml @@ -670,7 +670,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-evening-analysis.md b/.github/workflows/news-evening-analysis.md index c14a27a71..92b0c2729 100644 --- a/.github/workflows/news-evening-analysis.md +++ b/.github/workflows/news-evening-analysis.md @@ -64,7 +64,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/news-realtime-monitor.lock.yml b/.github/workflows/news-realtime-monitor.lock.yml index 58ef9a621..bc9c384b5 100644 --- a/.github/workflows/news-realtime-monitor.lock.yml +++ b/.github/workflows/news-realtime-monitor.lock.yml @@ -667,7 +667,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-realtime-monitor.md b/.github/workflows/news-realtime-monitor.md index f771014c3..5d34d4687 100644 --- a/.github/workflows/news-realtime-monitor.md +++ b/.github/workflows/news-realtime-monitor.md @@ -63,7 +63,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 7bd5dc6ba..b3e5f4405 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -16,7 +16,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + codeload.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -61,7 +68,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + codeload.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -119,7 +133,24 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + cia.sourceforge.io:443 + codeload.github.com:443 + data.riksdagen.se:443 + data.worldbank.org:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + registry.npmjs.org:443 + riksdagsmonitor.com:443 + www.esv.se:443 + www.hack23.com:443 + www.linkedin.com:443 + www.riksdagen.se:443 + www.val.se:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -152,9 +183,6 @@ jobs: linkinator --version echo "✅ linkinator v6 installed successfully" - - name: Install jq - run: sudo apt-get update && sudo apt-get install -y jq - - name: Check internal links (static files) run: | echo "🔍 Starting local HTTP server for internal link checking..." @@ -239,10 +267,10 @@ jobs: needs: [typescript-lint, html-validation, link-checker] if: always() steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner (block outbound calls) uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block - name: Quality Check Summary run: |