From a2d5c65cf576e4445e05ebd496f477bdd573a09a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 02:12:06 +0000 Subject: [PATCH 1/6] security: harden egress policies and pin @playwright/mcp version - Upgrade egress-policy from audit to block in quality-checks.yml (4 jobs) - Upgrade egress-policy from audit to block in javascript-testing.yml (4 jobs) - Upgrade egress-policy from audit to block in lighthouse-ci.yml (1 job) - Add explicit allowed-endpoints for each job based on required network access - Pin @playwright/mcp@latest to @playwright/mcp@0.0.68 in 3 news workflow .md files - Update corresponding .lock.yml files to match pinned playwright/mcp version Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/javascript-testing.yml | 30 +++++++++++++++--- .github/workflows/lighthouse-ci.yml | 10 +++++- .../workflows/news-article-generator.lock.yml | 2 +- .github/workflows/news-article-generator.md | 2 +- .../workflows/news-evening-analysis.lock.yml | 2 +- .github/workflows/news-evening-analysis.md | 2 +- .../workflows/news-realtime-monitor.lock.yml | 2 +- .github/workflows/news-realtime-monitor.md | 2 +- .github/workflows/quality-checks.yml | 31 ++++++++++++++++--- 9 files changed, 68 insertions(+), 15 deletions(-) diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml index 1476c0290..29e9dd83c 100644 --- a/.github/workflows/javascript-testing.yml +++ b/.github/workflows/javascript-testing.yml @@ -49,7 +49,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -91,7 +97,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -132,7 +144,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + cdn.cypress.io:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -182,7 +201,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Test Results Summary run: | diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index 69b57a2f3..e07bdea2d 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -29,7 +29,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + riksdagsmonitor.com:443 + storage.googleapis.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/news-article-generator.lock.yml b/.github/workflows/news-article-generator.lock.yml index cf638f560..6eb7d3c42 100644 --- a/.github/workflows/news-article-generator.lock.yml +++ b/.github/workflows/news-article-generator.lock.yml @@ -701,7 +701,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-article-generator.md b/.github/workflows/news-article-generator.md index 154585651..eb39e6662 100644 --- a/.github/workflows/news-article-generator.md +++ b/.github/workflows/news-article-generator.md @@ -59,7 +59,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/news-evening-analysis.lock.yml b/.github/workflows/news-evening-analysis.lock.yml index 3b66c3b32..34cb1616f 100644 --- a/.github/workflows/news-evening-analysis.lock.yml +++ b/.github/workflows/news-evening-analysis.lock.yml @@ -694,7 +694,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-evening-analysis.md b/.github/workflows/news-evening-analysis.md index 2bf9fe979..9e7a000e8 100644 --- a/.github/workflows/news-evening-analysis.md +++ b/.github/workflows/news-evening-analysis.md @@ -64,7 +64,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/news-realtime-monitor.lock.yml b/.github/workflows/news-realtime-monitor.lock.yml index 210113465..6457e3534 100644 --- a/.github/workflows/news-realtime-monitor.lock.yml +++ b/.github/workflows/news-realtime-monitor.lock.yml @@ -691,7 +691,7 @@ jobs: "entrypointArgs": [ "npx", "-y", - "@playwright/mcp@latest", + "@playwright/mcp@0.0.68", "--headless" ], "tools": [ diff --git a/.github/workflows/news-realtime-monitor.md b/.github/workflows/news-realtime-monitor.md index 78332be48..14feb1286 100644 --- a/.github/workflows/news-realtime-monitor.md +++ b/.github/workflows/news-realtime-monitor.md @@ -63,7 +63,7 @@ tools: bash: true microsoft/playwright: command: npx - args: ["-y", "@playwright/mcp@latest", "--headless"] + args: ["-y", "@playwright/mcp@0.0.68", "--headless"] env: DISPLAY: ":99" diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 5e7003c60..e968b3a51 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -16,7 +16,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -62,7 +68,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -121,7 +133,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + deb.debian.org:80 + github.com:443 + nodejs.org:443 + objects.githubusercontent.com:443 + registry.npmjs.org:443 + riksdagsmonitor.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -244,7 +264,10 @@ jobs: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Quality Check Summary run: | From 0fb0dc773a4c2753ba67c8c535ece179eb9446b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 03:40:43 +0000 Subject: [PATCH 2/6] fix: address PR review comments on egress policy hardening - Fix step name: 'Harden the runner (Audit all outbound calls)' -> 'Harden Runner (block outbound calls)' - Change allowed-endpoints YAML from folded style (>) to literal style (|) in all 3 workflows - Add codeload.github.com:443 to all jobs using actions/checkout (9 jobs across 3 workflows) Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/javascript-testing.yml | 11 +++++++---- .github/workflows/lighthouse-ci.yml | 3 ++- .github/workflows/quality-checks.yml | 13 ++++++++----- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml index 29e9dd83c..86bcecf47 100644 --- a/.github/workflows/javascript-testing.yml +++ b/.github/workflows/javascript-testing.yml @@ -50,8 +50,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -98,8 +99,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -145,9 +147,10 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 cdn.cypress.io:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -202,7 +205,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 github.com:443 diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index e07bdea2d..d520ee90c 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -30,8 +30,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index e968b3a51..d56fc5776 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -17,8 +17,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -69,8 +70,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -134,8 +136,9 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 + codeload.github.com:443 deb.debian.org:80 github.com:443 nodejs.org:443 @@ -261,11 +264,11 @@ jobs: needs: [typescript-lint, html-validation, link-checker] if: always() steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner (block outbound calls) uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > + allowed-endpoints: | api.github.com:443 github.com:443 From 8bd49c136a64dc91ef708adee3252d4ea61669ad Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 11:22:11 +0000 Subject: [PATCH 3/6] fix: remove apt-get jq install and deb.debian.org:80 from egress allowlist jq is pre-installed on ubuntu-latest runners, so the explicit apt-get install step is unnecessary. Removing it also eliminates the plaintext HTTP egress to deb.debian.org:80, addressing the MITM/downgrade risk flagged in the security review. Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/quality-checks.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index cf19675d9..232f92c83 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -137,7 +137,6 @@ jobs: allowed-endpoints: | api.github.com:443 codeload.github.com:443 - deb.debian.org:80 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 @@ -175,9 +174,6 @@ jobs: linkinator --version echo "✅ linkinator v6 installed successfully" - - name: Install jq - run: sudo apt-get update && sudo apt-get install -y jq - - name: Check internal links (static files) run: | echo "🔍 Starting local HTTP server for internal link checking..." From 647e3c0cf26f49bb38281868c6037b2a2c6e259e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:07:31 +0000 Subject: [PATCH 4/6] fix: switch allowed-endpoints from | to > and add missing external endpoints The Go agent v0.14.3 parses allowed_endpoints using SPACE as delimiter (the JS action appends the cache host via: confg.allowed_endpoints += ' hostname:443'). Using | (literal) style bundles all newline-separated entries into one invalid token, leaving only the cache host parsed. Switching back to > (folded) style produces space-delimited entries the agent can parse. Also adds: - data.riksdagen.se:443 + www.riksdagen.se:443 to link-checker - fonts.googleapis.com:443 + fonts.gstatic.com:443 to lighthouse-ci Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/javascript-testing.yml | 8 ++++---- .github/workflows/lighthouse-ci.yml | 4 +++- .github/workflows/quality-checks.yml | 10 ++++++---- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml index 86bcecf47..11d991400 100644 --- a/.github/workflows/javascript-testing.yml +++ b/.github/workflows/javascript-testing.yml @@ -50,7 +50,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 github.com:443 @@ -99,7 +99,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 github.com:443 @@ -147,7 +147,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 cdn.cypress.io:443 codeload.github.com:443 @@ -205,7 +205,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 github.com:443 diff --git a/.github/workflows/lighthouse-ci.yml b/.github/workflows/lighthouse-ci.yml index d520ee90c..457ffb106 100644 --- a/.github/workflows/lighthouse-ci.yml +++ b/.github/workflows/lighthouse-ci.yml @@ -30,9 +30,11 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 232f92c83..12e1b1924 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -17,7 +17,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 github.com:443 @@ -69,7 +69,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 github.com:443 @@ -134,14 +134,16 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 codeload.github.com:443 + data.riksdagen.se:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 registry.npmjs.org:443 riksdagsmonitor.com:443 + www.riksdagen.se:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -262,7 +264,7 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: | + allowed-endpoints: > api.github.com:443 github.com:443 From c620e77817866c1170633dd111642db74de60e15 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 12:43:45 +0000 Subject: [PATCH 5/6] fix: add missing external domains to link-checker allowed-endpoints Add all external domains linked from riksdagsmonitor.com that the linkinator external check would visit: - www.hack23.com:443 and www.linkedin.com:443 (per review comment) - cia.sourceforge.io:443, data.worldbank.org:443 - raw.githubusercontent.com:443, www.esv.se:443, www.val.se:443 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/quality-checks.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 12e1b1924..2a9416eb3 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -136,14 +136,21 @@ jobs: egress-policy: block allowed-endpoints: > api.github.com:443 + cia.sourceforge.io:443 codeload.github.com:443 data.riksdagen.se:443 + data.worldbank.org:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 + raw.githubusercontent.com:443 registry.npmjs.org:443 riksdagsmonitor.com:443 + www.esv.se:443 + www.hack23.com:443 + www.linkedin.com:443 www.riksdagen.se:443 + www.val.se:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 813c03ee9ffa0b01e0dc8f738404379384ba8ea5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 13:31:49 +0000 Subject: [PATCH 6/6] fix: tighten summary job allowlist and add download.cypress.io - Remove allowed-endpoints from summary job in quality-checks.yml: the job only runs echo commands and needs zero external network access - Add download.cypress.io:443 to multi-language-sanity Cypress job in javascript-testing.yml: Cypress binary downloads can originate from download.cypress.io as well as cdn.cypress.io Co-authored-by: pethers <1726836+pethers@users.noreply.github.com> --- .github/workflows/javascript-testing.yml | 1 + .github/workflows/quality-checks.yml | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/javascript-testing.yml b/.github/workflows/javascript-testing.yml index 11d991400..f9b81cd6d 100644 --- a/.github/workflows/javascript-testing.yml +++ b/.github/workflows/javascript-testing.yml @@ -151,6 +151,7 @@ jobs: api.github.com:443 cdn.cypress.io:443 codeload.github.com:443 + download.cypress.io:443 github.com:443 nodejs.org:443 objects.githubusercontent.com:443 diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 2a9416eb3..b3e5f4405 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -271,9 +271,6 @@ jobs: uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 with: egress-policy: block - allowed-endpoints: > - api.github.com:443 - github.com:443 - name: Quality Check Summary run: |