Skip to content

Harden workflow egress policies and pin @playwright/mcp version #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pethers merged 16 commits into from
Mar 1, 2026
+84 −19
Merged

Harden workflow egress policies and pin @playwright/mcp version #694

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
a2d5c65
security: harden egress policies and pin @playwright/mcp version
Copilot Mar 1, 2026
dcc4209
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
80d176e
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
0fb0dc7
fix: address PR review comments on egress policy hardening
Copilot Mar 1, 2026
6fc014b
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
ad3d0df
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
8bd49c1
fix: remove apt-get jq install and deb.debian.org:80 from egress allo…
Copilot Mar 1, 2026
2492724
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
647e3c0
fix: switch allowed-endpoints from | to > and add missing external en…
Copilot Mar 1, 2026
5cf1a8e
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
7e79308
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
c620e77
fix: add missing external domains to link-checker allowed-endpoints
Copilot Mar 1, 2026
57bf1e6
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
3beefe5
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
813c03e
fix: tighten summary job allowlist and add download.cypress.io
Copilot Mar 1, 2026
35340a6
Merge branch 'main' into copilot/harden-egress-policies
pethers Mar 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 30 additions & 4 deletions .github/workflows/javascript-testing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
codeload.github.com:443
github.com:443
Copy link

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout typically downloads the repository archive from codeload.github.com (not github.com). With egress-policy: block, the checkout step can fail unless codeload.github.com:443 is included in allowed-endpoints for jobs that use actions/checkout.

Suggested change
github.com:443
github.com:443
codeload.github.com:443

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 0fb0dc7 — added codeload.github.com:443 to every job that uses actions/checkout (3 jobs in quality-checks.yml, 3 in javascript-testing.yml, 1 in lighthouse-ci.yml).

nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -91,7 +98,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
codeload.github.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -132,7 +146,16 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
cdn.cypress.io:443
codeload.github.com:443
download.cypress.io:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -182,7 +205,10 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443

- name: Test Results Summary
run: |
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/lighthouse-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,18 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
codeload.github.com:443
fonts.googleapis.com:443
fonts.gstatic.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
riksdagsmonitor.com:443
storage.googleapis.com:443
Copy link

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This job audits https://riksdagsmonitor.com, which loads Google Fonts (e.g. fonts.googleapis.com / fonts.gstatic.com as referenced in index.html). With egress-policy: block, those font requests will be blocked unless the domains are allowlisted, which can skew Lighthouse results (and potentially cause audit noise) compared to real user conditions. Consider adding fonts.googleapis.com:443 and fonts.gstatic.com:443 to allowed-endpoints (or alternatively self-host fonts and remove the external dependency).

Suggested change
storage.googleapis.com:443
storage.googleapis.com:443
fonts.googleapis.com:443
fonts.gstatic.com:443

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in 647e3c0fonts.googleapis.com:443 and fonts.gstatic.com:443 are now in the Lighthouse job's allowed-endpoints.


- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/news-article-generator.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/news-article-generator.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ tools:
bash: true
microsoft/playwright:
command: npx
args: ["-y", "@playwright/mcp@latest", "--headless"]
args: ["-y", "@playwright/mcp@0.0.68", "--headless"]
env:
DISPLAY: ":99"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/news-evening-analysis.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/news-evening-analysis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ tools:
bash: true
microsoft/playwright:
command: npx
args: ["-y", "@playwright/mcp@latest", "--headless"]
args: ["-y", "@playwright/mcp@0.0.68", "--headless"]
env:
DISPLAY: ":99"

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/news-realtime-monitor.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion .github/workflows/news-realtime-monitor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ tools:
bash: true
microsoft/playwright:
command: npx
args: ["-y", "@playwright/mcp@latest", "--headless"]
args: ["-y", "@playwright/mcp@0.0.68", "--headless"]
env:
DISPLAY: ":99"

Expand Down
44 changes: 36 additions & 8 deletions .github/workflows/quality-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
codeload.github.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -61,7 +68,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
codeload.github.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -119,7 +133,24 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block
allowed-endpoints: >
api.github.com:443
cia.sourceforge.io:443
codeload.github.com:443
data.riksdagen.se:443
data.worldbank.org:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
raw.githubusercontent.com:443
registry.npmjs.org:443
riksdagsmonitor.com:443
Copy link

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The external link check runs linkinator against https://riksdagsmonitor.com/ and will attempt to validate outgoing links found on that page. With egress-policy: block, the current allowlist doesn’t include domains that are linked from the site (e.g. data.riksdagen.se / www.riksdagen.se), so those checks will be blocked and the resulting report will contain false failures. Either add the relevant external domains to allowed-endpoints for this job, or expand the --skip regex to exclude them so the report reflects real link issues rather than egress blocks.

Suggested change
riksdagsmonitor.com:443
riksdagsmonitor.com:443
data.riksdagen.se:443
www.riksdagen.se:443

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in 647e3c0data.riksdagen.se:443 and www.riksdagen.se:443 are now in the link-checker's allowed-endpoints.

www.esv.se:443
www.hack23.com:443
www.linkedin.com:443
www.riksdagen.se:443
Copy link

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The link-checker job runs linkinator https://riksdagsmonitor.com/ and (per the current --skip regex) will attempt to validate external links on the homepage beyond the riksdagen.se domains (e.g., links to www.hack23.com and www.linkedin.com are present in index.html). With egress-policy: block, those requests will be blocked and inflate the external-links report with false failures. Either add the relevant domains (e.g., www.hack23.com:443, www.linkedin.com:443) to allowed-endpoints, or extend the --skip pattern to exclude them so the report reflects real link issues rather than egress blocks.

Suggested change
www.riksdagen.se:443
www.riksdagen.se:443
www.hack23.com:443
www.linkedin.com:443

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Copilot AI Mar 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in c620e77 — added www.hack23.com:443 and www.linkedin.com:443 as requested, plus all other external domains linked from index.html that would be blocked: cia.sourceforge.io:443, data.worldbank.org:443, raw.githubusercontent.com:443, www.esv.se:443, and www.val.se:443.

www.val.se:443

- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down Expand Up @@ -152,9 +183,6 @@ jobs:
linkinator --version
echo "✅ linkinator v6 installed successfully"

- name: Install jq
run: sudo apt-get update && sudo apt-get install -y jq

- name: Check internal links (static files)
run: |
echo "🔍 Starting local HTTP server for internal link checking..."
Expand Down Expand Up @@ -239,10 +267,10 @@ jobs:
needs: [typescript-lint, html-validation, link-checker]
if: always()
steps:
- name: Harden the runner (Audit all outbound calls)
- name: Harden Runner (block outbound calls)
uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
with:
egress-policy: audit
egress-policy: block

- name: Quality Check Summary
run: |
Expand Down
Loading