Commits on May 7, 2024

1. ci: update Testing workflow with harden-runner recommendations …

   This commit updates the Testing workflow (testing.yml) using
   recommendations from Step Security's harden-runner action.
   Recommendations were taken from the most recent Testing workflow run
   (6232, see links below) where all jobs ran with only the 'Get Yesterday's
   cached database if today's is not available' step not running on
   relevant jobs.
   
   As harden-runner only runs on Ubuntu VMs, a job-level permission
   was added to the 'Windows long test' job to account for the removal of
   the top-level workflow permission.
   
   As the Build job has only recently been added, the `egress-policy` key
   has been left with the value `audit`. The harden-runner recommendations
   suggest changing the value to `block` after 10+ runs of the job.
   
   Reference issue intel#4111
   
   Testing workflow run 6232:
   https://github.com/intel/cve-bin-tool/actions/runs/8976788790/job/24654326627
   
   harden-runner recommendations:
   https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/
   8976788790?jobid=24654326273&tab=recommendations

   

   michaelwknott committed May 7, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for ee1fe6e
   • Browse repository at this point

   Copy the full SHA

   ee1fe6e View commit details

   Browse the repository at this point in the history