From 6b00e2753f2065109012043da01ddabac2c899b8 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Tue, 7 Apr 2026 18:51:11 +0100
Subject: [PATCH 1/4] Enforce egress filtering in dependency review  workflow

---
 .github/workflows/dependency-review.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 7a3a3ff..1cf61c6 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -16,7 +16,11 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Dependency review

From ee440f2122632045bd0c4ae7a03643baf48d48cc Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Tue, 7 Apr 2026 18:51:23 +0100
Subject: [PATCH 2/4] Enforce egress filtering in gitleaks workflow

---
 .github/workflows/gitleaks.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index d7a8489..8fa9aae 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -19,6 +19,15 @@ jobs:
     permissions:
         pull-requests: write
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0

From 25bd69b450228ec88fcdb541cc0cc0fc28929801 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Tue, 7 Apr 2026 18:51:40 +0100
Subject: [PATCH 3/4] Enforce egress filtering in OpenSSF Scorecard workflow

---
 .github/workflows/openssf-scorecard.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml
index 684a5cc..d3ed04c 100644
--- a/.github/workflows/openssf-scorecard.yml
+++ b/.github/workflows/openssf-scorecard.yml
@@ -19,7 +19,20 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            api.deps.dev:443
+            api.github.com:443
+            api.osv.dev:443
+            api.scorecard.dev:443
+            api.securityscorecards.dev:443
+            fulcio.sigstore.dev:443
+            github.com:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
+            prod.app-api.stepsecurity.io:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

From b0144ac89f2531edad70dffa985ba7d010b3196c Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Tue, 7 Apr 2026 18:52:10 +0100
Subject: [PATCH 4/4] Enforce egress filtering in unit tests workflow

---
 .github/workflows/test.yml | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4956fbb..d90cca7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,32 @@ jobs:
       - name: Harden runner
         uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
         with:
-          egress-policy: audit
+          egress-policy: block
+          allowed-endpoints: >
+            0.pool.ntp.org:443
+            api.apple-cloudkit.com:443
+            calendars.icloud.com:443
+            configuration.apple.com:443
+            fbs.smoot.apple.com:443
+            formulae.brew.sh:443
+            gateway.icloud.com:443
+            gdmf.apple.com:443
+            ghcr.io:443
+            github.com:443
+            gsa.apple.com:443
+            gsp-ssl.ls.apple.com:443
+            gspe35-ssl.ls.apple.com:443
+            init.itunes.apple.com:443
+            ipcdn.apple.com:443
+            mask-api.icloud.com:443
+            mesu.apple.com:443
+            metrics.icloud.com:443
+            ocsp.sectigo.com:80
+            ocsp2.apple.com:443
+            pancake.apple.com:443
+            pkg-containers.githubusercontent.com:443
+            updates.cdn-apple.com:443
+            xp.apple.com:443
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies