Allow blocked connections to for labelling and OpenSSF Scorecard (#512)

### What kind of change does this PR introduce? * Fixes a definite typo that is preventing labelling * Unblocks a few connections for the scorecard workflow ### Does this PR introduce a breaking change? No.
Ouranosinc · Jan 21, 2025 · f7b0f73 · f7b0f73
2 parents 79c527e + 2117773
commit f7b0f73
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 1 deletion.
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
@@ -27,7 +27,7 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
-            api.github.com:44
+            api.github.com:443
 
       - name: Label Pull Request
         uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -36,10 +36,12 @@ jobs:
           disable-sudo: true
           egress-policy: block
           allowed-endpoints: >
+            api.deps.dev:443
             api.github.com:443
             api.osv.dev:443
             api.scorecard.dev:443
             api.securityscorecards.dev:443
+            auth.docker.io:443
             fulcio.sigstore.dev:443
             github.com:443
             index.docker.io:443

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -36,6 +36,7 @@ Internal changes
     * Secured token usages on all workflows (using `zizmor`).
     * Simplified logic in ``bump-version.yml``.
     * Synchronized a few dependencies.
+* Fixed a few socket blocks and configuration issues in the CI workflows. (:pull:`512`).
 
 v0.10.1 (2024-11-04)
 --------------------