ci(github-action): switch harden-runner to block mode with explicit endpoint allowlists

[skarllot]

Summary

• Switches all 6 workflow egress-policy from audit to block, enforcing outbound network restrictions instead of just logging
• Adds disable-sudo-and-containers: true to all workflows (except scorecard.yml which uses disable-sudo: true)
• Adds explicit allowed-endpoints tailored to each workflow's actual dependencies

Endpoint allowlists

Workflow	Notable inclusions
codeql.yml	.NET SDK, NuGet, GitHub/CodeQL, cert validation CAs
dotnet.yml	Same + Codecov, Keybase, Sentry (o26192), GCS
package.yml	*.nuget.org:443 wildcard covers both restore and push
create-tag.yml	Minimal: SDK download, NuGet (nbgv), GitHub
dependency-review.yml	api.deps.dev, api.securityscorecards.dev, GitHub
scorecard.yml	Scorecard APIs, sigstore, OSSF, *.github.com for sarif upload

Test plan

• Open PR → verify dependency-review and dotnet workflows pass in block mode
• Check Actions tab that harden-runner reports no unexpected blocked endpoints
• Merge to main → verify codeql, scorecard, and dotnet pass

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations to enforce stricter operational controls and restrict network access to essential services.

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows are updated to enforce stricter runner security by switching egress policy from audit to block mode, disabling sudo and container capabilities, and explicitly allowlisting required external endpoints for each workflow.

Changes

Cohort / File(s)	Summary
GitHub Actions Runner Hardening .github/workflows/codeql.yml, .github/workflows/create-tag.yml, .github/workflows/dependency-review.yml, .github/workflows/dotnet.yml, .github/workflows/package.yml, .github/workflows/scorecard.yml	Enforced stricter network security across all workflows by changing egress-policy from audit to block, adding disable-sudo-and-containers: true (or disable-sudo: true), and defining allowed-endpoints allowlists to restrict outbound traffic to only necessary external services for each workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hops of caution, walls grow tall,
Blocking exits, trusting none at all,
Only good endpoints on our list,
Security hardened with a cryptographic kiss! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: switching harden-runner to block mode with explicit endpoint allowlists across all affected workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The pull request description provides comprehensive details covering the changes (egress-policy switch, disable-sudo/containers config), organized endpoint allowlists for each workflow, and a detailed test plan.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/harden-runner-block-mode

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.88%. Comparing base (731c0d1) to head (2f2567c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #266   +/-   ##
=======================================
  Coverage   88.88%   88.88%           
=======================================
  Files          19       19           
  Lines        1332     1332           
  Branches      101      101           
=======================================
  Hits         1184     1184           
  Misses        104      104           
  Partials       44       44           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dotnet.yml:
- Around line 29-49: The allowed-endpoints list for the CI job is missing the
Azure Blob Storage host required by actions/cache; update the allowed-endpoints
block to include the Azure Blob Storage endpoint (*.blob.core.windows.net:443)
so cache restore of ~/.nuget/packages can reach the blob backend; locate the
allowed-endpoints entry in the workflow and add that host to the list.

In @.github/workflows/package.yml:
- Around line 24-38: The workflow's egress-policy is set to block so the
actions/cache step cannot reach the endpoints it needs; update the
allowed-endpoints under the same block (the allowed-endpoints list controlled by
egress-policy: block) to include results-receiver.actions.githubusercontent.com
and *.blob.core.windows.net so the actions/cache restore/save can
upload/download caches (i.e., add those two host entries to the
allowed-endpoints list where the existing endpoints like github.com and
*.nuget.org are defined).

In @.github/workflows/scorecard.yml:
- Around line 37-49: Update the allowed-endpoints list in the workflow scorecard
configuration to include GitHub Actions OIDC and Azure Blob artifact endpoints:
add *.actions.githubusercontent.com (to allow
token.actions.githubusercontent.com for id-token: write/OIDC) and
*.blob.core.windows.net (for actions/upload-artifact uploads). Modify the block
under the egress-policy/allowed-endpoints section so these two host patterns are
present alongside the existing entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 348e0e5b-c469-46fc-a634-32b5a92fa6a1

📥 Commits

Reviewing files that changed from the base of the PR and between 731c0d1 and 2f2567c.

📒 Files selected for processing (6)

• .github/workflows/codeql.yml
• .github/workflows/create-tag.yml
• .github/workflows/dependency-review.yml
• .github/workflows/dotnet.yml
• .github/workflows/package.yml
• .github/workflows/scorecard.yml